Edit tour

Windows Analysis Report
Ricowell Ind New INQ.bat.exe

Overview

General Information

Sample name:	Ricowell Ind New INQ.bat.exe
Analysis ID:	1510343
MD5:	4dd85e61424127b013bd9b3106b63fff
SHA1:	cb0a510edadbf4b6a495c8091f81a926adf6e1f0
SHA256:	6c9fcfe5c1673bf732478c3ca43d2d4f35837e116b002eff5bb92b1a4aafdaf3
Tags:	batexe
Infos:

Detection

GuLoader

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected GuLoader

AI detected suspicious sample

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Ricowell Ind New INQ.bat.exe (PID: 5524 cmdline: "C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe" MD5: 4DD85E61424127B013BD9B3106B63FFF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3904560282.0000000006A71000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Ricowell Ind New INQ.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Ricowell Ind New INQ.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Code function: 0_2_0040603A FindFirstFileA,FindClose,	0_2_0040603A
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Code function: 0_2_004055F6 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004055F6
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Code function: 0_2_00402645 FindFirstFileA,	0_2_00402645

Source: Ricowell Ind New INQ.bat.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Ricowell Ind New INQ.bat.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe

Code function: 0_2_0040515D GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040515D

Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe

Code function: 0_2_00403217 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_00403217

Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Code function: 0_2_00406310		0_2_00406310
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Code function: 0_2_0040499C		0_2_0040499C

Source: Ricowell Ind New INQ.bat.exe, 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesalverede.exeDVarFileInfo$ vs Ricowell Ind New INQ.bat.exe
Source: Ricowell Ind New INQ.bat.exe	Binary or memory string: OriginalFilenamesalverede.exeDVarFileInfo$ vs Ricowell Ind New INQ.bat.exe

Source: Ricowell Ind New INQ.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal56.troj.evad.winEXE@1/14@0/0

Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe

Code function: 0_2_0040442A GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_0040442A

Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe

Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,

0_2_00402036

Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe

File created: C:\Users\user\Videos\legioner.ini

Jump to behavior

Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe

File created: C:\Users\user\AppData\Local\Temp\nst8EF5.tmp

Jump to behavior

Source: Ricowell Ind New INQ.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe

File read: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe

Jump to behavior

Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Besiddetrang.lnk.0.dr

LNK file: ..\..\..\Program Files (x86)\rytmiskes.cry

Source: Ricowell Ind New INQ.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.3904560282.0000000006A71000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe

Code function: 0_2_00406061 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406061

Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe

Code function: 0_2_10002D30 push eax; ret

0_2_10002D5E

Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe

File created: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe

RDTSC instruction interceptor: First address: 7166580 second address: 7166580 instructions: 0x00000000 rdtsc 0x00000002 cmp dl, al 0x00000004 test dl, al 0x00000006 cmp ebx, ecx 0x00000008 jc 00007F91A0F42C41h 0x0000000a cmp bl, cl 0x0000000c inc ebp 0x0000000d test dx, dx 0x00000010 inc ebx 0x00000011 rdtsc

Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Code function: 0_2_0040603A FindFirstFileA,FindClose,	0_2_0040603A
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Code function: 0_2_004055F6 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004055F6
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	Code function: 0_2_00402645 FindFirstFileA,	0_2_00402645

Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	API call chain: ExitProcess graph end node			graph_0-4429
Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe	API call chain: ExitProcess graph end node			graph_0-4263

Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe

Code function: 0_2_00406061 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406061

Source: C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe

Code function: 0_2_00405D58 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405D58

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Ricowell Ind New INQ.bat.exe	11%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_Error	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	Ricowell Ind New INQ.bat.exe	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	Ricowell Ind New INQ.bat.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1510343
Start date and time:	2024-09-12 21:05:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Ricowell Ind New INQ.bat.exe
Detection:	MAL
Classification:	mal56.troj.evad.winEXE@1/14@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 56 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Ricowell Ind New INQ.bat.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll	Setup_x86.exe	Get hash	malicious	Unknown	Browse
	ORDER.exe	Get hash	malicious	FormBook, GuLoader	Browse
	ORDER.exe	Get hash	malicious	Unknown	Browse
	ulACwpUCSU.exe	Get hash	malicious	FormBook, GuLoader	Browse
	fJuwM4Bwi7.exe	Get hash	malicious	FormBook, GuLoader	Browse
	ulACwpUCSU.exe	Get hash	malicious	GuLoader	Browse
	fJuwM4Bwi7.exe	Get hash	malicious	GuLoader	Browse
	Factura 02297-23042024.exe	Get hash	malicious	FormBook, GuLoader	Browse
	anebilledes.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Factura 02297-23042024.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\Public\Videos\Besiddetrang.lnk

Download File

Process:	C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	756
Entropy (8bit):	3.5568394946752115
Encrypted:	false
SSDEEP:	12:8wl080a/ledp8tzIAGbdpYQI1aBQ1EyPWEMMgQ/CNUvH4t2YZ/elFlSJm:8wudOaAidU1zPWNMXOUFqy
MD5:	04D3F037352154B28FA024EE90038BE2
SHA1:	A9A62DFA3C118F889208CD01FB26C73061C21839
SHA-256:	E31858B8877D05EE8EF5F12ED1AE001CEBADCE0143287BB28B44A1EFFDEA037A
SHA-512:	0CCDB5F88DCD7231B809D3085F49C37E6780AC7360BCDC36E51C01C77555B8B2E143D3D766404841EB240306D73E893EB9AC5A7F88DB2DDD9310A755F8484687
Malicious:	false
Reputation:	low
Preview:	L..................F.............................................................P.O. .:i.....+00.../C:\...................z.1...........Program Files (x86).X............................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...".h.2...........rytmiskes.cry.L............................................r.y.t.m.i.s.k.e.s...c.r.y............\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.r.y.t.m.i.s.k.e.s...c.r.y.:.C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.R.h.a.b.d.o.p.h.o.r.a.\.f.r.y.s.e.r.e.\.t.u.r.n.p.i.k.e.........................@Z\|...K.J.....................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike\Commissionary.Und

Download File

Process:	C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe
File Type:	little endian ispell hash file (?), and 3598 string characters
Category:	dropped
Size (bytes):	140670
Entropy (8bit):	4.601584331134234
Encrypted:	false
SSDEEP:	1536:rab6UPGJZVm9X6EJzF2pn6dLmfjHExkT/KvWISNuBPuY3qafdxBR93xX:rSPGXVg6Q524xGIxk+tBPuNYBRT
MD5:	61E86D5C4A9BA6D4BC24C373D44393F6
SHA1:	E741F4F9863BA09996ABD4BD313954C11E73A68E
SHA-256:	B45B506E1827D6C57496FDEA9F37D09EC3CDC865B6E89E74577C738C04D19169
SHA-512:	84431E29D2480E1CDC664D8FE5A7F32525A9CB2439F05BD3D765DD4AFE96E70739EC6479F7999489AF170B8405C788D314C586C294221D193B009A5FC17EB172
Malicious:	false
Reputation:	low
Preview:	.......iii.dd.i.....iii.......VV...........O..;;.........................]].....u.bb.ii..w.A..........t..............LLL....................jj.....ppp.....cc.^.................i..........................................88....www.......[........f.......................................................................................+++...................C..b.......PP.---..R............;;;;....6.......$.................,.....o...W..{.W.\...............tt.............K.aa........^...........sss..[[[[[..x....................x.4........3.,,.......ZZ.............jj....................E............!!..//////............`....[[....................ddd....___....y..................~....!!.............................M..,,..........t.................bbb.....U....................."""............OOOOO............RR.>>>..9.......;.....X.......E.._.......................FF.hh.......##..Z..vv.......''............rr.....K.........??...{.......\|.PP......................%......JJJJJJJ..)).aaaaa...........

C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike\Praksissernes.kra

Download File

Process:	C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	70089
Entropy (8bit):	1.2513184695627344
Encrypted:	false
SSDEEP:	384:lvTTNGT9BZiwMEYhyzAd97w8/LgInf+mLOcPI5fVOv5NxF1FOn4Y0ZNvh5OHgG:lTNWFTMEYYE72InTCuKQ7FOnQv/OAG
MD5:	D8E80CDEDAE3E054BA1D69902A2CA6D4
SHA1:	B53C03824D1EDE6681868FF46E00E42D5E7A046F
SHA-256:	F5C68DAB62BFF1B4F551D1128A5A7ABD4C4B337C1CDA41F3397C22E8E10F019C
SHA-512:	D1830FA22A6E13BF580D118B14F602520909886DE720B38BA592F427D0553735E981CFA05A2366DAEF86735B6F83C2BD217AF44B12E5826B74C78E25E9F62295
Malicious:	false
Reputation:	low
Preview:	......p.................n...X....................d..........................*............................................................................M............[...........~...............................d....39...................................................................................................................................................................................................................................}.............X........................................................................................q...............................................^.................O....................................................................................Z...........................'................................................................4.........................................................o...[............................................m...............0......................X....0.........................................................

C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike\Stewart.Min

Download File

Process:	C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	433347
Entropy (8bit):	7.045313421294136
Encrypted:	false
SSDEEP:	12288:QUPu0XwaiQjRS4VmoXukj9VXSRLKU8qV4:LPtCQ9VmgucrSRO7qV4
MD5:	AB410022AA79704761696EDECD82F64C
SHA1:	93E3C5004A4DEC20EEC79A9C8175052C305866EE
SHA-256:	DAA5834F7AE3A698960BF0CCCE998A3B829982921D05140D53F1A6100E3F28E0
SHA-512:	7A86A1B7D8D2541577ACBF11EE1F8FFD8F62288EE407B5DE32D46308C8394F9C9A96A5C37FFAA7882995F4DB1E2CBE9823785AF63AC3CBE36FB6968B28628678
Malicious:	false
Reputation:	low
Preview:	......LLLLL..................................................................................rr................p.=.......PP.f.......................c......................c..........!!....?....................t........................77..XX......................OO......g...A....FFFF..FF........\|\|...........""..............--...............J...............#.]..h......^......<<<<.....h....8..................NN...........@@..........._...............................p.....................................................m........```..........z............................6....................I........................... ........##......CCC.....d....................__....JJJ....................z...WW................ZZ.R.......}}........??.....TT.=........b......d..).......................jj......---.>.'.....EEEEE............``......6.....)...................................\|........R.....**...f...)))...................7....!...............d...........VVV..........b...o....^...............UUU.

C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike\dev.med

Download File

Process:	C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe
File Type:	FoxPro FPT, blocks size 88, next free block index 170, field type 0
Category:	dropped
Size (bytes):	316850
Entropy (8bit):	1.2494344843876144
Encrypted:	false
SSDEEP:	768:UI1y6B1e+17bZEPl0Rnof0brVBSd/oyoTbFlbQ/BZ97yVOTLjv13Y5vx70El7oAN:ra0Xi31pavVKOa4fVlj
MD5:	5D01D49C1498EC6723D7F194D210DDEB
SHA1:	283514D6E17F8552A70B4B0DFB419D77FA0AE033
SHA-256:	6D1337BE2B7C1C17CA7BE7B75518902C618F904923FE3FFBDF4F519DB6BB2BB8
SHA-512:	286727E8962A8339E4527BFAE8B5879FF2A319C6DA090EB8130FBBB94C0C51AA0931CBCDCFC8D0B63D1DC3F30271AC193FE78C809D3F6A8B0648EB2228FEAF4D
Malicious:	false
Reputation:	low
Preview:	.......X.........................J....q..................o....................................................n..............................{....5.p..V.........GV.........c........$..................................R...e.....E....................3..u...................%.....................+.......T.............z......................................`..............v....................................0................Y............................................................................................................................................................................W.........................D..................c.......................$...............N................f............... ...........R........ ....................y..............g......................P...............................................................................V.......t..............J.se...L.........................................\.........,.w.......................................D..

C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike\hverdagsagtiges.afh

Download File

Process:	C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	291479
Entropy (8bit):	1.2623895916251218
Encrypted:	false
SSDEEP:	768:I4aF3mt3WBkVYqYZkjVzW72s6Y1rHtslWyNS652rpnfdK4xlkidjdUgxuZHUKiji:+8WZqVPshpX7P/77Lm7X7
MD5:	2DAE10B8A993D301D5B30447CD554D49
SHA1:	C0E795B9EBEA6ABAE51A0A56B377BDCE7A52CCF2
SHA-256:	991EFFB618E7714390252B543789A0B6FE9E2650BD0F5049164DA51717031F51
SHA-512:	738EE8FC2733644DD773F975075895D5D32AE2F5220A885F07F50873EA2D8FBD2E4DD9400647DF0A11E26B1489CE7391D692874D5E998E1979005D80A2790683
Malicious:	false
Reputation:	low
Preview:	..................Y......................H...............Z..B............................!...................b..D........................................n...........{..........................9...............................................u..........................................................................................I.........T...............U.............&..............R.....................................................................................y..................F.....Z.....&................................................B.......L.............%...U.......;..........................I..................................._.......D....t........g.....................#.................n..a......................................M......i.....................Z..............................................{..................................................................................#....h.....U.............?.G..............L...........................................

C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike\stenhuggeriernes.txt

Download File

Process:	C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	527
Entropy (8bit):	4.275388286900901
Encrypted:	false
SSDEEP:	12:sfiS0lw/iN/QGXqpBqt1J5WgR+FofZRVoENhEWJv:sfi3G/iRuLqzGe+FGoENhEqv
MD5:	E22011A429D7D0729AA1A0B9CADAC17A
SHA1:	793AE0FACF787AD29AA11A91EBFA079616EC1F10
SHA-256:	5B857AAE7EEA7961E5571C1E7FA394E6B98C833E74E106C960BBD4D0564AC87B
SHA-512:	32E762E9309D70F33F6B0537D55629C437D380EF2C5849A1187F4219D53075E0D6C3DF93DF500EA3F3CB5E07E0CBA85165002671362AF5500DD569C3CEB417CE
Malicious:	false
Reputation:	low
Preview:	vilkaarligheden primaternes somewhere reformistiskes pseudoscientifically aggraverende ascidian tidsindstillet udvekslingsformaters porker igjen daddels..recoagulate submucronated cupular miasm mikrofon butterdejssnitter boreholes scrunger lafite childbirth samfundsvidenskaber..coabode archaeolater prisoning,taurean terminalknudes raisons trindadiske kardinaliteter fakkeltogene necessitarianism.altsaxofoner coliseum overdosage forbindelsesofficer reuphold ndlidendes amant,gldesfesternes spejlblankt toastable urol puffwig,

C:\Users\user\AppData\Local\Temp\nscA58E.tmp

Download File

Process:	C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.0914493934217315
Encrypted:	false
SSDEEP:	3:sBa99k1NoCFOn:KankVg
MD5:	5D04A35D3950677049C7A0CF17E37125
SHA1:	CAFDD49A953864F83D387774B39B2657A253470F
SHA-256:	A9493973DD293917F3EBB932AB255F8CAC40121707548DE100D5969956BB1266
SHA-512:	C7B1AFD95299C0712BDBC67F9D2714926D6EC9F71909AF615AFFC400D8D2216AB76F6AC35057088836435DE36E919507E1B25BE87B07C911083F964EB67E003B
Malicious:	false
Preview:	kernel32::SetFilePointer(i r5, i 1200 , i 0,i 0)i.r3

C:\Users\user\AppData\Local\Temp\nsj8F06.tmp

Download File

Process:	C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	1271146
Entropy (8bit):	4.303850602005356
Encrypted:	false
SSDEEP:	12288:fUPu0XwaiQjRS4VmoXukj9VXSRLKU8qVOj+Bhu0:8PtCQ9VmgucrSRO7qVLt
MD5:	C039BB93CFE6FBCE8775D71B4A97121F
SHA1:	B6C450E314C239A093B32CE76965F3218052CA93
SHA-256:	D810072EAB5D14118C42BB910B9D41E8BA4A4375A8147251F48F805B41099E35
SHA-512:	602081EC013E79F9C019FE03316D320345A21291B9DC768EEDDFA5A5D29B6FDDD9C1D30CE7E48EA19DA46E38CE5BEDE725858BB1DCF6AADCA48BDA753DA813A9
Malicious:	false
Preview:	........,...................x...............................................................................................................................................................................................................................................................J...b...........#...j...............................................................................................................................k.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsk9FB0.tmp

Download File

Process:	C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	74
Entropy (8bit):	3.9637832956585757
Encrypted:	false
SSDEEP:	3:sRQE1wFEt/ijNJyI3dj2+n:aQEGiwh3D
MD5:	16D513397F3C1F8334E8F3E4FC49828F
SHA1:	4EE15AFCA81CA6A13AF4E38240099B730D6931F0
SHA-256:	D3C781A1855C8A70F5ACA88D9E2C92AFFFA80541334731F62CAA9494AA8A0C36
SHA-512:	4A350B790FDD2FE957E9AB48D5969B217AB19FC7F93F3774F1121A5F140FF9A9EAAA8FA30E06A9EF40AD776E698C2E65A05323C3ADF84271DA1716E75F5183C3
Malicious:	false
Preview:	kernel32::CreateFileA(m r4 , i 0x80000000, i 0, p 0, i 4, i 0x80, i 0)i.r5

C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.779474184733856
Encrypted:	false
SSDEEP:	96:zPDYcJ+nx4vVp76JX7zBlkCg21Fxz4THxtrqw1at0JgwLEjo+OB3yUVCdl/wNj+y:zPtkuWJX7zB3kGwfy0nyUVsxCjOM61u
MD5:	6F5257C0B8C0EF4D440F4F4FCE85FB1B
SHA1:	B6AC111DFB0D1FC75AD09C56BDE7830232395785
SHA-256:	B7CCB923387CC346731471B20FC3DF1EAD13EC8C2E3147353C71BB0BD59BC8B1
SHA-512:	A3CC27F1EFB52FB8ECDA54A7C36ADA39CEFEABB7B16F2112303EA463B0E1A4D745198D413EEBB3551E012C84A20DCDF4359E511E51BC3F1A60B13F1E3BAD1AA8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Setup_x86.exe, Detection: malicious, Browse Filename: ORDER.exe, Detection: malicious, Browse Filename: ORDER.exe, Detection: malicious, Browse Filename: ulACwpUCSU.exe, Detection: malicious, Browse Filename: fJuwM4Bwi7.exe, Detection: malicious, Browse Filename: ulACwpUCSU.exe, Detection: malicious, Browse Filename: fJuwM4Bwi7.exe, Detection: malicious, Browse Filename: Factura 02297-23042024.exe, Detection: malicious, Browse Filename: anebilledes.exe, Detection: malicious, Browse Filename: Factura 02297-23042024.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L....\.U...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text..._........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..b....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsoA83F.tmp

Download File

Process:	C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.51038309657817
Encrypted:	false
SSDEEP:	3:sEMBQEJkJVEjXcxc/MFWxQoXUn:za/MFWxvUn
MD5:	D562E602E53D53099D119AE5C05621A6
SHA1:	97BFC9284FA3CAE81B114BFBC596D3524B5DEAEC
SHA-256:	547B6581CFC7080DCFDE7D659975DBD3C8453340FEAD6D9D730C3EF1A321BE7E
SHA-512:	BF6561985EA724A425CAA7C57F87ED280A02D465BE3F5C722B2EBD089692A7F60C6C4F95F1FC414DB1C77351A78E2DD6639681C9BDB58CA64930FDFF491AED18
Malicious:	false
Preview:	kernel32::VirtualAlloc(i 0,i 98922496, i 0x3000, i 0x40)p.r1

C:\Users\user\AppData\Local\Temp\nspAAB1.tmp

Download File

Process:	C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	56
Entropy (8bit):	4.286618146008852
Encrypted:	false
SSDEEP:	3:sAAEVvjsxc18L84n:fLV1y
MD5:	CC1EFDC8BFFFF229914A7F388FA2E097
SHA1:	DB9C5B435EA436A44B459143BD6F2305E87EED22
SHA-256:	DC5091A590EA356B8D08D9A053D42B51B91ECC876F29F2CDC589F77F1097C231
SHA-512:	B63125D3C32176FA593FF17913C63CBED1FB7900AE60C4998DDD7F736D4F6AE40FF828AF145579F11C974546E6EA78429694E268EEFF964EC442CE9320F98269
Malicious:	false
Preview:	kernel32::ReadFile(i r5, i r1, i 98922496,*i 0, i 0)i.r3

C:\Users\user\AppData\Local\Temp\nsqAE0D.tmp

Download File

Process:	C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	4.256564762130954
Encrypted:	false
SSDEEP:	3:DyWgLQIfLBJXmgU:mkIP25
MD5:	F15BFDEBB2DF02D02C8491BDE1B4E9BD
SHA1:	93BD46F57C3316C27CAD2605DDF81D6C0BDE9301
SHA-256:	C87F2FF45BB530577FB8856DF1760EDAF1060AE4EE2934B17FDD21B7D116F043
SHA-512:	1757ED4AE4D47D0C839511C18BE5D75796224D4A3049E2D8853650ACE2C5057C42040DE6450BF90DD4969862E9EBB420CD8A34F8DD9C970779ED2E5459E8F2F1
Malicious:	false
Preview:	user32::EnumWindows(i r1 ,i 0)

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.669590475089014
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Ricowell Ind New INQ.bat.exe
File size:	626'090 bytes
MD5:	4dd85e61424127b013bd9b3106b63fff
SHA1:	cb0a510edadbf4b6a495c8091f81a926adf6e1f0
SHA256:	6c9fcfe5c1673bf732478c3ca43d2d4f35837e116b002eff5bb92b1a4aafdaf3
SHA512:	1e2f1d231a77efeff7fe4504180e18da26ce630f049155d7cb8975abbcd0982c6a52f0f8190ee3a97c68b4ce801c1f0579192ee676c10df4663c08a1a6952922
SSDEEP:	6144:qcQ9zFQ+29Sn4Zr7n8lJ/vMLJnJmH1YMqJqcn9me0TtJMiWIBLuExc3QRaF0ZENN:uQ7c4WlPWprP0TGsyXcJFAYwvYF23
TLSH:	E2D40254FBA0CD07CE08167899A2F77CA234AF989D1786276FFC3EAB3D25B195C84141
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....\.U.................^...........2.......p....@

File Icon


Icon Hash:	033b3b2b2f231903

Static PE Info

General

Entrypoint:	0x403217
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x55C15CE3 [Wed Aug 5 00:46:27 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	59a4a44a250c4cf4f2d9de2b3fe5d95f

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407034h]
push 00008001h
call dword ptr [004070B4h]
push ebx
call dword ptr [0040728Ch]
push 00000009h
mov dword ptr [004237B8h], eax
call 00007F91A122FB2Ah
mov dword ptr [00423704h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041ECB8h
call dword ptr [00407164h]
push 004091E4h
push 00422F00h
call 00007F91A122F7D4h
call dword ptr [004070B0h]
mov ebp, 00429000h
push eax
push ebp
call 00007F91A122F7C2h
push ebx
call dword ptr [00407118h]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423700h], eax
mov eax, ebp
jne 00007F91A122CD2Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007F91A122F252h
push eax
call dword ptr [00407220h]
mov dword ptr [esp+1Ch], eax
jmp 00007F91A122CDE5h
cmp cl, 00000020h
jne 00007F91A122CD28h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F91A122CD1Ch

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x37000	0x19a38	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c3a	0x5e00	e5e7adda692e6e028f515fe3daa2b69f	False	0.658951130319149	data	6.410406825129756	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x11ce	0x1200	5801d712ecba58aa87d1e7d1aa24f3aa	False	0.4522569444444444	OpenPGP Secret Key	5.236122428806677	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a7f8	0x400	cc58d0a55ac015d8f1470ea90f440596	False	0.615234375	data	5.02661163746607	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x13000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x37000	0x19a38	0x19c00	e044a410021a8fe3ff8a6b58a67f455f	False	0.32481606492718446	data	4.427147608048424	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x372c8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.28862534011593516
RT_ICON	0x47af0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States	0.37706660368445916
RT_ICON	0x4bd18	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.4048755186721992
RT_ICON	0x4e2c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.4725609756097561
RT_ICON	0x4f368	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	English	United States	0.5151639344262295
RT_ICON	0x4fcf0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.5363475177304965
RT_DIALOG	0x50158	0x100	data	English	United States	0.5234375
RT_DIALOG	0x50258	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x50378	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x503d8	0x5a	data	English	United States	0.7888888888888889
RT_VERSION	0x50438	0x2c0	data	English	United States	0.4772727272727273
RT_MANIFEST	0x506f8	0x33f	XML 1.0 document, ASCII text, with very long lines (831), with no line terminators	English	United States	0.5547533092659447

Imports

DLL	Import
KERNEL32.dll	GetTickCount, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, SearchPathA, GetShortPathNameA, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, CloseHandle, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, GlobalAlloc, CompareFileTime, SetFileTime, ExpandEnvironmentStringsA, lstrcmpiA, lstrcmpA, WaitForSingleObject, GlobalFree, GetExitCodeProcess, GetModuleHandleA, GetTempPathA, GetWindowsDirectoryA, LoadLibraryExA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, WriteFile, FindClose, WritePrivateProfileStringA, MultiByteToWideChar, MulDiv, GetPrivateProfileStringA, FreeLibrary
USER32.dll	CreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	15:06:05
Start date:	12/09/2024
Path:	C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe"
Imagebase:	0x400000
File size:	626'090 bytes
MD5 hash:	4DD85E61424127B013BD9B3106B63FFF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.3904560282.0000000006A71000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	21.6%
Dynamic/Decrypted Code Coverage:	14.4%
Signature Coverage:	19.5%
Total number of Nodes:	1468
Total number of Limit Nodes:	41

Executed Functions

Function 00403217 Relevance: 79.1, APIs: 27, Strings: 18, Instructions: 337
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403238
SetErrorMode.KERNELBASE(00008001), ref: 00403243
OleInitialize.OLE32(00000000), ref: 0040324A

Part of subcall function 00406061: GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000009), ref: 00406073
Part of subcall function 00406061: LoadLibraryA.KERNELBASE(?,?,?,0040325C,00000009), ref: 0040607E
Part of subcall function 00406061: GetProcAddress.KERNEL32(00000000,?), ref: 0040608F

SHGetFileInfoA.SHELL32(0041ECB8,00000000,?,00000160,00000000,00000009), ref: 00403272

Part of subcall function 00405D36: lstrcpynA.KERNEL32(?,?,00000400,00403287,00422F00,NSIS Error), ref: 00405D43

GetCommandLineA.KERNEL32(00422F00,NSIS Error), ref: 00403287
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe",00000000), ref: 0040329A
CharNextA.USER32(00000000,"C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe",00000020), ref: 004032C5
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004033C2
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004033D3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004033DF
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004033F3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004033FB
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040340C
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403414
DeleteFileA.KERNELBASE(1033), ref: 00403428
OleUninitialize.OLE32(?), ref: 004034D6
ExitProcess.KERNEL32 ref: 004034F6
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe",00000000,?), ref: 00403502
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 0040350E
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040351A
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403521
DeleteFileA.KERNEL32(0041E8B8,0041E8B8,?,00424000,?), ref: 0040357A
CopyFileA.KERNEL32(C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe,0041E8B8,00000001), ref: 0040358E
CloseHandle.KERNEL32(00000000,0041E8B8,0041E8B8,?,0041E8B8,00000000), ref: 004035BB
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000005,00000004), ref: 00403614
ExitWindowsEx.USER32(00000002,80040002), ref: 0040366C
ExitProcess.KERNEL32 ref: 0040368F

Strings

C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike, xrefs: 004034B3
SeShutdownPrivilege, xrefs: 00403626
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403227
`KXu, xrefs: 00403400
C:\Users\user\AppData\Local\Temp\, xrefs: 004033B7, 004033BC, 004033D2, 004033DE, 004033ED, 004033FA, 00403406, 0040340E, 00403501, 0040350D, 00403519, 00403520, 004035CF
C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe, xrefs: 00403589
TEMP, xrefs: 00403407
", xrefs: 004032EA
\Temp, xrefs: 004033D9
"C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe", xrefs: 0040328D, 00403293, 0040344C
Low, xrefs: 004033F5
C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike, xrefs: 004033A7, 004034A8, 00403527, 00403530
Error launching installer, xrefs: 0040348E
NSIS Error, xrefs: 00403278
C:\Users\user\Desktop, xrefs: 00403507, 0040350C, 0040352F
~nsu.tmp, xrefs: 004034FC
1033, xrefs: 00403423
TMP, xrefs: 0040340F

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: "$"C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe"$1033$C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike$C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$`KXu$~nsu.tmp
API String ID: 4107622049-1115493218
Opcode ID: a00b215820a1fa6a230efcb39fea29283eff6eac4ca07d0765cafeb017810fa6
Instruction ID: 3d26bb40307c87b2cd60c260c775e6d0301d96a10e68b952128d49a18977981a
Opcode Fuzzy Hash: a00b215820a1fa6a230efcb39fea29283eff6eac4ca07d0765cafeb017810fa6
Instruction Fuzzy Hash: 85B107706082517AE721AF659D8DA2B3EACEB41706F04447FF541BA1E2C77C9E01CB6E

Function 0040515D Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 004051BC
GetDlgItem.USER32(?,000003EE), ref: 004051CB
GetClientRect.USER32(?,?), ref: 00405208
GetSystemMetrics.USER32(00000002), ref: 0040520F
SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405230
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405241
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405254
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405262
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405275
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405297
ShowWindow.USER32(?,00000008), ref: 004052AB
GetDlgItem.USER32(?,000003EC), ref: 004052CC
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004052DC
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004052F5
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405301
GetDlgItem.USER32(?,000003F8), ref: 004051DA

Part of subcall function 00404021: SendMessageA.USER32(00000028,?,00000001,00403E52), ref: 0040402F

GetDlgItem.USER32(?,000003EC), ref: 0040531D
CreateThread.KERNELBASE(00000000,00000000,Function_000050F1,00000000), ref: 0040532B
CloseHandle.KERNELBASE(00000000), ref: 00405332
ShowWindow.USER32(00000000), ref: 00405355
ShowWindow.USER32(?,00000008), ref: 0040535C
ShowWindow.USER32(00000008), ref: 004053A2
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004053D6
CreatePopupMenu.USER32 ref: 004053E7
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004053FC
GetWindowRect.USER32(?,000000FF), ref: 0040541C
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405435
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405471
OpenClipboard.USER32(00000000), ref: 00405481
EmptyClipboard.USER32 ref: 00405487
GlobalAlloc.KERNEL32(00000042,?), ref: 00405490
GlobalLock.KERNEL32(00000000), ref: 0040549A
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054AE
GlobalUnlock.KERNEL32(00000000), ref: 004054C7
SetClipboardData.USER32(00000001,00000000), ref: 004054D2
CloseClipboard.USER32 ref: 004054D8

Strings

Tosporet Setup: Installing, xrefs: 0040544D

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: Tosporet Setup: Installing
API String ID: 590372296-1449912710
Opcode ID: ddce3f407c61e1ebc3cac1cca45d68d18475e72ad548d40fcbdeb08d48be2a44
Instruction ID: 24acf85f457993e5d1a00f4a74fbc0a00d7f38a893508f9c9f1f5035b4e63235
Opcode Fuzzy Hash: ddce3f407c61e1ebc3cac1cca45d68d18475e72ad548d40fcbdeb08d48be2a44
Instruction Fuzzy Hash: 5FA15BB1900208BFDB219FA0DD89AAE7F79FB08355F10407AFA04B61A0C7B55E51DF69

Function 00405D58 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,00000000,00405057,Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,00000000), ref: 00405E09
GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 00405E84
GetWindowsDirectoryA.KERNEL32(Call,00000400), ref: 00405E97
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405ED3
SHGetPathFromIDListA.SHELL32(00000000,Call), ref: 00405EE1
CoTaskMemFree.OLE32(00000000), ref: 00405EEC
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00405F0E
lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,00000000,00405057,Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,00000000), ref: 00405F60

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll, xrefs: 00405D87
Call, xrefs: 00405D7F, 00405E51, 00405E6E, 00405E83, 00405E96, 00405EB2, 00405EDD, 00405F0D, 00405F13, 00405F2B, 00405F3E, 00405F59, 00405F5F, 00405F6A, 00405F94
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405E53
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405F08

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-3619070476
Opcode ID: 0d90defceccf7a3314d6588998510e1a0ef65c4c2f55f086f079bc5466073577
Instruction ID: 9c0e267699f90c8e910d98bdf84d4b8f2614ab6024826f89c9d009b20b1e8bc4
Opcode Fuzzy Hash: 0d90defceccf7a3314d6588998510e1a0ef65c4c2f55f086f079bc5466073577
Instruction Fuzzy Hash: 10610571A04905ABDF215F64DC84B7B3BA8DB55304F10813BE641B62D1D33C4A42DF9E

Function 004055F6 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 0040561F
lstrcatA.KERNEL32(00420D00,\*.*,00420D00,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 00405667
lstrcatA.KERNEL32(?,00409014,?,00420D00,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 00405688
lstrlenA.KERNEL32(?,?,00409014,?,00420D00,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 0040568E
FindFirstFileA.KERNELBASE(00420D00,?,?,?,00409014,?,00420D00,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 0040569F
FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 0040574C
FindClose.KERNEL32(00000000), ref: 0040575D

Strings

\*.*, xrefs: 00405661
C:\Users\user\AppData\Local\Temp\, xrefs: 00405604
"C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe", xrefs: 004055F6

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1006310348
Opcode ID: 82da6914721141c23c952b2a557d454053f92afbcbfffd72d9d73708a50b9132
Instruction ID: a1a18f6d4a87cf364f513f4d5348cf8987bf6841df45d5f239a42b9e89fe31fb
Opcode Fuzzy Hash: 82da6914721141c23c952b2a557d454053f92afbcbfffd72d9d73708a50b9132
Instruction Fuzzy Hash: 8051D230905A04FADB216B618C89BBF7AB8DF42714F54803BF445721D2D73C4942EE6E

Function 00406310 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 743aa33a108d29f9cab5e819e308a9554fb8e98817c33194d1e30fb36f92eda3
Instruction ID: 49e2905b870d629617cd54a3ad4ea64d750052a334705c7e6b68d35cedeefd19
Opcode Fuzzy Hash: 743aa33a108d29f9cab5e819e308a9554fb8e98817c33194d1e30fb36f92eda3
Instruction Fuzzy Hash: 28F17970D00229CBCF28CFA8C8946ADBBB1FF45305F25856ED856BB281D3785A96CF45

Function 00402036 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040208B
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00407374,?,?), ref: 00402143

Strings

C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike, xrefs: 004020CB

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike
API String ID: 123533781-862733243
Opcode ID: 6766bdf138d9a3476f59e6ec973922d24ccafdcf77b7cead4b35a4f15cd1a772
Instruction ID: 1053df79af30500630abfeafbcf843dcec04d0d4e3091bc204b5fde3a4f6985c
Opcode Fuzzy Hash: 6766bdf138d9a3476f59e6ec973922d24ccafdcf77b7cead4b35a4f15cd1a772
Instruction Fuzzy Hash: 3B416D71A00209BFCB40EFA4CE88E9E7BB5BF48354B2042A9F911FB2D1D6799D41DB54

Function 0040603A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(?,00421548,C:\Users\user\AppData\Local\Temp\nspAAB1.tmp,004058F7,C:\Users\user\AppData\Local\Temp\nspAAB1.tmp,C:\Users\user\AppData\Local\Temp\nspAAB1.tmp,00000000,C:\Users\user\AppData\Local\Temp\nspAAB1.tmp,C:\Users\user\AppData\Local\Temp\nspAAB1.tmp,?,?,75572EE0,00405616,?,C:\Users\user\AppData\Local\Temp\,75572EE0), ref: 00406045
FindClose.KERNEL32(00000000), ref: 00406051

Strings

C:\Users\user\AppData\Local\Temp\nspAAB1.tmp, xrefs: 0040603A

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nspAAB1.tmp
API String ID: 2295610775-2486177878
Opcode ID: 1aa7e4dc1003f693668b82639e535814eeaefdc3a4332bebb0b1aa5890d42f5a
Instruction ID: ffb9975cce6792308ede9dbdbab0a2e32819aea082b360212a672f9e7c6ece7a
Opcode Fuzzy Hash: 1aa7e4dc1003f693668b82639e535814eeaefdc3a4332bebb0b1aa5890d42f5a
Instruction Fuzzy Hash: 7BD012319490306BC3106B787C0C85B7A599F573317118A33B56AF12F0C7389C7286ED

Function 00406061 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000009), ref: 00406073
LoadLibraryA.KERNELBASE(?,?,?,0040325C,00000009), ref: 0040607E
GetProcAddress.KERNEL32(00000000,?), ref: 0040608F

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 14778026069da28af87b9950d589da7dca929d2a00fc8d83b3a738ce3464f0c4
Instruction ID: 2c1b19e4de550b622e70843c6ca25527790cfa0381149662c4593fbace01eca7
Opcode Fuzzy Hash: 14778026069da28af87b9950d589da7dca929d2a00fc8d83b3a738ce3464f0c4
Instruction Fuzzy Hash: 00E0C232A04211ABC321AB749D48D3B73ACAFD8751309493EF50AF6150D734AC21EBBA

Function 00403B19 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B55
ShowWindow.USER32(?), ref: 00403B72
DestroyWindow.USER32 ref: 00403B86
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BA2
GetDlgItem.USER32(?,?), ref: 00403BC3
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403BD7
IsWindowEnabled.USER32(00000000), ref: 00403BDE
GetDlgItem.USER32(?,00000001), ref: 00403C8C
GetDlgItem.USER32(?,00000002), ref: 00403C96
SetClassLongA.USER32(?,000000F2,?), ref: 00403CB0
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D01
GetDlgItem.USER32(?,00000003), ref: 00403DA7
ShowWindow.USER32(00000000,?), ref: 00403DC8
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403DDA
EnableWindow.USER32(?,?), ref: 00403DF5
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E0B
EnableMenuItem.USER32(00000000), ref: 00403E12
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E2A
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E3D
lstrlenA.KERNEL32(Tosporet Setup: Installing,?,Tosporet Setup: Installing,00422F00), ref: 00403E66
SetWindowTextA.USER32(?,Tosporet Setup: Installing), ref: 00403E75
ShowWindow.USER32(?,0000000A), ref: 00403FA9

Strings

Tosporet Setup: Installing, xrefs: 00403E52, 00403E5C, 00403E65, 00403E73

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Tosporet Setup: Installing
API String ID: 3282139019-1449912710
Opcode ID: 0715b8fe610bdd71fae90ba33bb4a09e8b5ebb3c50d1a2f397537002d346961d
Instruction ID: 1f8690e76de68066656ca8d54ad2d010e53819933bf2384d883f7e4ba9537b83
Opcode Fuzzy Hash: 0715b8fe610bdd71fae90ba33bb4a09e8b5ebb3c50d1a2f397537002d346961d
Instruction Fuzzy Hash: 17C1C071A04205BBDB21AF21ED48D2B7EBCFB44706F40443EF601B11E1C7799942AB6E

Function 00403787 Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406061: GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000009), ref: 00406073
Part of subcall function 00406061: LoadLibraryA.KERNELBASE(?,?,?,0040325C,00000009), ref: 0040607E
Part of subcall function 00406061: GetProcAddress.KERNEL32(00000000,?), ref: 0040608F

lstrcatA.KERNEL32(1033,Tosporet Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Tosporet Setup: Installing,00000000,00000002,C:\Users\user\AppData\Local\Temp\,75573410,"C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe",00000000), ref: 00403802
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike,1033,Tosporet Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Tosporet Setup: Installing,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403877
lstrcmpiA.KERNEL32(?,.exe), ref: 0040388A
GetFileAttributesA.KERNEL32(Call), ref: 00403895
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike), ref: 004038DE

Part of subcall function 00405C94: wsprintfA.USER32 ref: 00405CA1

RegisterClassA.USER32(00422EA0), ref: 0040391B
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403933
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403968
ShowWindow.USER32(00000005,00000000), ref: 0040399E
LoadLibraryA.KERNELBASE(RichEd20), ref: 004039AF
LoadLibraryA.KERNEL32(RichEd32), ref: 004039BA
GetClassInfoA.USER32(00000000,RichEdit20A,00422EA0), ref: 004039CA
GetClassInfoA.USER32(00000000,RichEdit,00422EA0), ref: 004039D7
RegisterClassA.USER32(00422EA0), ref: 004039E0
DialogBoxParamA.USER32(?,00000000,00403B19,00000000), ref: 004039FF

Strings

Call, xrefs: 00403845, 0040384D, 0040385A, 004038A4, 004038AA
.DEFAULT\Control Panel\International, xrefs: 004037ED
C:\Users\user\AppData\Local\Temp\, xrefs: 00403793
_Nb, xrefs: 004038FA, 00403962
RichEdit20A, xrefs: 004039C2, 004039C8
RichEd32, xrefs: 004039B5
"C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe", xrefs: 0040378B
C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike, xrefs: 00403811, 00403819, 004038B1, 004038B7, 004038C7
Control Panel\Desktop\ResourceLocale, xrefs: 004037BB
.exe, xrefs: 00403884
RichEdit, xrefs: 004039D1
RichEd20, xrefs: 004039AA
1033, xrefs: 004037A7, 004037FD
Tosporet Setup: Installing, xrefs: 004037B3, 004037B9, 004037DE, 004037E7, 004037FC

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$Tosporet Setup: Installing$_Nb
API String ID: 914957316-3282149653
Opcode ID: 4a258d8796fa34fddb02ec2619d55facefc74f4564d7f9f136a4b3ccd76ffb40
Instruction ID: 361ceaa5e45529a70bb989737ed67fdedcb7c759bf8cf29c3cde223c60b7be46
Opcode Fuzzy Hash: 4a258d8796fa34fddb02ec2619d55facefc74f4564d7f9f136a4b3ccd76ffb40
Instruction Fuzzy Hash: E661E6B16442007EE720AF659D45F273E6CEB8475AF40407FF941B22E2D67C9D02DA6E

Function 00402C79 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402C8D
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe,00000400), ref: 00402CA9

Part of subcall function 004059C7: GetFileAttributesA.KERNELBASE(00000003,00402CBC,C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe,80000000,00000003), ref: 004059CB
Part of subcall function 004059C7: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059ED

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe,C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe,80000000,00000003), ref: 00402CF2
GlobalAlloc.KERNELBASE(00000040,00409130), ref: 00402E39

Strings

Error launching installer, xrefs: 00402CC9
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E82
soft, xrefs: 00402D69
C:\Users\user\Desktop, xrefs: 00402CD4, 00402CD9, 00402CDF
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C86, 00402E51
C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe, xrefs: 00402C93, 00402CA2, 00402CB6, 00402CD3
Null, xrefs: 00402D72
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402ED0
"C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe", xrefs: 00402C79
Inst, xrefs: 00402D60

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-4244473902
Opcode ID: 91e4b9dee6fe50fd73dc962a53e9cdaf65c065133738040780962d54176249d0
Instruction ID: 2a27acbe37a486d3f9fadad6f2898e15cdcbef103c1943e89973ac3215dbffb0
Opcode Fuzzy Hash: 91e4b9dee6fe50fd73dc962a53e9cdaf65c065133738040780962d54176249d0
Instruction Fuzzy Hash: BC61C671A40205ABDF20AF64DE89B9A76B4EF00315F20413BF904B72D1D7BC9E418BAD

Function 10001A5D Relevance: 20.0, APIs: 13, Instructions: 540stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 10001215: GlobalAlloc.KERNELBASE(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalAlloc.KERNELBASE(00000040,000014A4), ref: 10001B67
lstrcpyA.KERNEL32(00000008,?), ref: 10001BAF
lstrcpyA.KERNEL32(00000408,?), ref: 10001BB9
GlobalFree.KERNEL32(00000000), ref: 10001BCC
GlobalFree.KERNEL32(?), ref: 10001CC4
GlobalFree.KERNEL32(?), ref: 10001CC9
GlobalFree.KERNEL32(?), ref: 10001CCE
GlobalFree.KERNEL32(00000000), ref: 10001E76
lstrcpyA.KERNEL32(?,?), ref: 10001FCA

Memory Dump Source

Source File: 00000000.00000002.3910620506.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3910603560.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3910638325.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3910652324.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Ricowell Ind New INQ.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: 108015169a1f9511be137f3b76d088d284be53ebd3be1ec406ce9b744c5ee79e
Instruction ID: 780798ea066e4ece118e8e5fed0bf18c828ec290136deaf2e43fc5d0554b8685
Opcode Fuzzy Hash: 108015169a1f9511be137f3b76d088d284be53ebd3be1ec406ce9b744c5ee79e
Instruction Fuzzy Hash: 17129971D0424ADFFB20CFA4C8847EEBBF4FB043C4F61852AD5A1A2199DB749A81CB51

Function 0040173F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike,00000000,00000000,00000031), ref: 0040177E
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike,00000000,00000000,00000031), ref: 004017A8

Part of subcall function 00405D36: lstrcpynA.KERNEL32(?,?,00000400,00403287,00422F00,NSIS Error), ref: 00405D43

Part of subcall function 0040501F: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405058
Part of subcall function 0040501F: lstrlenA.KERNEL32(00402C51,Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405068
Part of subcall function 0040501F: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,00402C51,00402C51,Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,00000000,00000000,00000000), ref: 0040507B
Part of subcall function 0040501F: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll), ref: 0040508D
Part of subcall function 0040501F: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050B3
Part of subcall function 0040501F: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004050CD
Part of subcall function 0040501F: SendMessageA.USER32(?,00001013,?,00000000), ref: 004050DB

Strings

C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike, xrefs: 0040176C
C:\Users\user\AppData\Local\Temp\nsnA57E.tmp, xrefs: 00401789, 004017F8, 00401816
Call, xrefs: 0040175B, 00401764, 00401771, 00401783, 00401794, 004017CA, 004017E0, 004017FE, 0040183E, 004018BF, 004018C8, 004018D2, 004018DD
C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll, xrefs: 0040180C, 00401828

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike$C:\Users\user\AppData\Local\Temp\nsnA57E.tmp$C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll$Call
API String ID: 1941528284-3921920767
Opcode ID: bbab41b7c65da336fcc9d622b469fe6745b6c4ed629919caf82812cee6b4992a
Instruction ID: 7da2985f373e49f587e0f88560f455237d5d3a700d2e38046b33ad83bb6d7614
Opcode Fuzzy Hash: bbab41b7c65da336fcc9d622b469fe6745b6c4ed629919caf82812cee6b4992a
Instruction Fuzzy Hash: 0341B871910515BACF10BFA5DC46DAF3679DF41369F20823BF511F10E1D63C8A419A6E

Function 0040501F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405058
lstrlenA.KERNEL32(00402C51,Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405068
lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,00402C51,00402C51,Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,00000000,00000000,00000000), ref: 0040507B
SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll), ref: 0040508D
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050B3
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004050CD
SendMessageA.USER32(?,00001013,?,00000000), ref: 004050DB

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll, xrefs: 0040503F, 00405051, 00405057, 0040507A, 00405086

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll
API String ID: 2531174081-3705411113
Opcode ID: fe51e3db3acd615496ccbf9ac5cad90a085764a87c5addfa2b073bf2a2aea827
Instruction ID: 2b33129011dff48d1edd85efe61027b37dbb0349f6b457de8e93b882053e083c
Opcode Fuzzy Hash: fe51e3db3acd615496ccbf9ac5cad90a085764a87c5addfa2b073bf2a2aea827
Instruction Fuzzy Hash: C2219071900508BBDB119FA5CD84ADFBFB9EF14354F14807AF544B6290C2794E45DFA8

Function 00401F68 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F93

Part of subcall function 0040501F: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405058
Part of subcall function 0040501F: lstrlenA.KERNEL32(00402C51,Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405068
Part of subcall function 0040501F: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,00402C51,00402C51,Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,00000000,00000000,00000000), ref: 0040507B
Part of subcall function 0040501F: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll), ref: 0040508D
Part of subcall function 0040501F: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050B3
Part of subcall function 0040501F: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004050CD
Part of subcall function 0040501F: SendMessageA.USER32(?,00001013,?,00000000), ref: 004050DB

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FA3
GetProcAddress.KERNEL32(00000000,?), ref: 00401FB3
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040201D

Strings

("o, xrefs: 00401FE2

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: ("o
API String ID: 2987980305-3013670051
Opcode ID: 5319e110b6e8a5b1d5967b6e1ac55a36922c91fdf13baa78a076f75be2177e55
Instruction ID: 23a464ffe6ca8440643a385a127484fd4ee8ad6b227fb7efa4d26ad3fc5b3ac3
Opcode Fuzzy Hash: 5319e110b6e8a5b1d5967b6e1ac55a36922c91fdf13baa78a076f75be2177e55
Instruction Fuzzy Hash: D7210872904211BACF107FA48E49A6E39B0AB44358F60823BF601B62D1D7BC4941AA6E

Function 0040231C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040235A
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsnA57E.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040237A
RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsnA57E.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B3
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsnA57E.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490

Strings

C:\Users\user\AppData\Local\Temp\nsnA57E.tmp, xrefs: 0040236B, 00402379, 0040238D, 0040239D, 004023A8

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp
API String ID: 1356686001-3215501296
Opcode ID: b5d2e43241cc5f1c643ac0585cf0187cb16dde17b219008d57ea00b15267c4df
Instruction ID: 937c1904c824b73ffe337d2eacc138a1f8ac1658d2030852d1a46e58dbdf142b
Opcode Fuzzy Hash: b5d2e43241cc5f1c643ac0585cf0187cb16dde17b219008d57ea00b15267c4df
Instruction Fuzzy Hash: D71172B1E00118BFEB10EFA4DE89EAF7678FB50358F10413AF905B61D1D7B85D41A668

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040585F: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nspAAB1.tmp,?,004058CB,C:\Users\user\AppData\Local\Temp\nspAAB1.tmp,C:\Users\user\AppData\Local\Temp\nspAAB1.tmp,?,?,75572EE0,00405616,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 0040586D
Part of subcall function 0040585F: CharNextA.USER32(00000000), ref: 00405872
Part of subcall function 0040585F: CharNextA.USER32(00000000), ref: 00405886

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike
API String ID: 3751793516-862733243
Opcode ID: 2a622bc09443ca50187ba2ee159019b7cd2e59548df6293550867165e211735f
Instruction ID: decf54c0780f34986dcb1f6dc2400c6331eb5c21fa926316ee50895bb5337331
Opcode Fuzzy Hash: 2a622bc09443ca50187ba2ee159019b7cd2e59548df6293550867165e211735f
Instruction Fuzzy Hash: CE11E931908150ABDB217F755D4496F67B4EA62365728473FF891B22D2C23C4D42E62E

Function 004059F6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405A0A
GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 00405A24

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004059F9, 004059FD
nsa, xrefs: 00405A01
"C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe", xrefs: 004059F6

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-816644046
Opcode ID: 41eb4eacc2b5e04bba23a072be30983b5b4707d802c2e92527758f248babbe87
Instruction ID: 2f7b9810ed7c5924072585cf2130ed1295747d9915b618abfa336aedeca5813d
Opcode Fuzzy Hash: 41eb4eacc2b5e04bba23a072be30983b5b4707d802c2e92527758f248babbe87
Instruction Fuzzy Hash: C1F0E2327482487BDB008F1ADC44B9B7B9CDF91710F00C03BF904AA280D2B0A8008B68

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC4
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC9
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CCE

GlobalFree.KERNEL32(00000000), ref: 10001768
FreeLibrary.KERNEL32(?), ref: 100017DF
GlobalFree.KERNEL32(00000000), ref: 10001804

Part of subcall function 100021B0: GlobalAlloc.KERNEL32(00000040,7D8BEC45), ref: 100021E2

Part of subcall function 1000258D: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,10001739,00000000), ref: 100025FF

Part of subcall function 10001559: lstrcpyA.KERNEL32(00000000,10004010,00000000,10001695,00000000), ref: 10001572

Strings

, xrefs: 100017E5

Memory Dump Source

Source File: 00000000.00000002.3910620506.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3910603560.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3910638325.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3910652324.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Ricowell Ind New INQ.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: cd3a49c7226bd267e48e570e062e78a21ab1dc0dccc3f926e80528383bd8a00b
Instruction ID: 946e86dc2be410c0748ecba0c1d48508df540d87c222276c6f0f58241c559a10
Opcode Fuzzy Hash: cd3a49c7226bd267e48e570e062e78a21ab1dc0dccc3f926e80528383bd8a00b
Instruction Fuzzy Hash: C5318B79408205DAFB41DF649CC5BCA37ECFB042D5F018465FA0A9A09ADF78A8458A60

Function 0040303A Relevance: 6.1, APIs: 4, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040304F

Part of subcall function 004031CC: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EA4,?), ref: 004031DA

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F52,00000004,00000000,00000000,?,?,?,00402ECB,000000FF,00000000,00000000), ref: 00403082
WriteFile.KERNELBASE(0040A8A0,0040FBC1,00000000,00000000,004128A0,00004000,?,00000000,?,00402F52,00000004,00000000,00000000,?,?), ref: 0040313C
SetFilePointer.KERNELBASE(0013656A,00000000,00000000,004128A0,00004000,?,00000000,?,00402F52,00000004,00000000,00000000,?,?,?,00402ECB), ref: 0040318E

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID:
API String ID: 2146148272-0
Opcode ID: 24d90e6fe24fc4b927ba7929ca5aee42abf3264703176f7c86ada2f370568673
Instruction ID: 01a25493adf58fb9a894681412e440a2e883d4234beea4965eba9eb13e735820
Opcode Fuzzy Hash: 24d90e6fe24fc4b927ba7929ca5aee42abf3264703176f7c86ada2f370568673
Instruction Fuzzy Hash: CC414F725052019FDB10BF29EE849663BFCFB4431A715863BE810BA2E4D7389D52CB5E

Function 004024D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024EF
WriteFile.KERNELBASE(00000000,?,C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,00000000,?,?,00000000,00000011), ref: 0040250E

Strings

C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll, xrefs: 004024DD, 00402502

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll
API String ID: 427699356-82958726
Opcode ID: 7a3ba9340afd46c78bea2cb4cb31887ebc91b7920a860de9f64b3c7245c284d2
Instruction ID: 4826b5ec7f58a8945af1d05ae4e09a11cd1e532a13e769836b40841c5f4177c7
Opcode Fuzzy Hash: 7a3ba9340afd46c78bea2cb4cb31887ebc91b7920a860de9f64b3c7245c284d2
Instruction Fuzzy Hash: 80F054B2A54244BFDB40ABA19E499EB66A4DB40309F10443FB141F61C2D5BC4941A66A

Function 004054E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421500,Error launching installer), ref: 0040550E
CloseHandle.KERNEL32(?), ref: 0040551B

Strings

Error launching installer, xrefs: 004054F8

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: a807c8c1498f9a3ccd34e9273e49e04dcb617f56f5cccdb726230c0895ca6d7f
Instruction ID: 0ae392a05d3974bec86de51aa2f8a5c28ff0ee3cdd976454f3eed0d5dd72dd2a
Opcode Fuzzy Hash: a807c8c1498f9a3ccd34e9273e49e04dcb617f56f5cccdb726230c0895ca6d7f
Instruction Fuzzy Hash: 2BE0BFB4A00209BFEB109FA4ED05F7B76ADEB14745F508561BD11F2160E774A9108A79

Function 004031E3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00405FA1: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 00405FF9
Part of subcall function 00405FA1: CharNextA.USER32(?,?,?,00000000), ref: 00406006
Part of subcall function 00405FA1: CharNextA.USER32(?,"C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 0040600B
Part of subcall function 00405FA1: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 0040601B

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 00403204

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004031E4, 004031E9, 004031EF, 004031FB, 00403203, 0040320A
1033, xrefs: 0040320B

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-3144792594
Opcode ID: ee23c129dd8a5d49f4f649e38bc420fd14e59507522fd77197c34cef7b8656a6
Instruction ID: 89773af62672bbf6302d30782f314b1c1bc42d6855f09756152acd8bf908297a
Opcode Fuzzy Hash: ee23c129dd8a5d49f4f649e38bc420fd14e59507522fd77197c34cef7b8656a6
Instruction Fuzzy Hash: 24D0C71290AD3066D5513B6A7C46FCF050C8F4675DF11807BF904751C58F6C555395EF

Function 00406745 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa6151eb6114a7c7dde5596e7ed141339a6810161cd6e35f889c2edb9118ca88
Instruction ID: d3f30c549e8eaa155af2d8805db43d359078549a114e1d1e4cfdde4495a9482f
Opcode Fuzzy Hash: fa6151eb6114a7c7dde5596e7ed141339a6810161cd6e35f889c2edb9118ca88
Instruction Fuzzy Hash: 13A14471E00228CBDF28DFA8C8447ADBBB1FB45305F15816ED816BB281D7785A96DF44

Function 00406946 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9dede487193b96133ea94438acbc75bab27e7ac1b94d370ef06066709f64446
Instruction ID: 66af66db22d428e7cee4185570621c0262e28a8f97ef0091af547b150b1cef7f
Opcode Fuzzy Hash: e9dede487193b96133ea94438acbc75bab27e7ac1b94d370ef06066709f64446
Instruction Fuzzy Hash: 7F912170E00228CBDF28DF98C8947ADBBB1FB45305F15816ED816BB281C7786A96DF44

Function 0040665C Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d995426ddd841542114576c7cd3986778113386b5e0d0d2bb3b42046c5d03f
Instruction ID: 36158da5dd70985ab85e2c4d41886ca33cae813362c0b87a96f868d92fb05337
Opcode Fuzzy Hash: d2d995426ddd841542114576c7cd3986778113386b5e0d0d2bb3b42046c5d03f
Instruction Fuzzy Hash: 65815771D00228CFDF24CFA8C8847ADBBB1FB45305F25816AD816BB281D778A996DF15

Function 00406161 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ae08bc292ff831ddf939399879833efa26d2e617e1386947dce183f6739e75
Instruction ID: 1715bfb1c3d5716620224504c503b3d15fe2aa0a2bbcc08a305e6ffc6cb4203b
Opcode Fuzzy Hash: 68ae08bc292ff831ddf939399879833efa26d2e617e1386947dce183f6739e75
Instruction Fuzzy Hash: 53817771D00228DBDF24CFA8C8447ADBBB0FB44301F2581AED856BB281D7786A96DF45

Function 004065AF Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2929f55d3e8b81ac1e584e7399a4f2facda7d772583105b5c0ec75abe6cb9a93
Instruction ID: 032b7c8430df6362c90b97cb5f8c3133674bcd2d0f853081a3cdcc23126a0f5c
Opcode Fuzzy Hash: 2929f55d3e8b81ac1e584e7399a4f2facda7d772583105b5c0ec75abe6cb9a93
Instruction Fuzzy Hash: 87711371D00228CFDF24CF98C8847ADBBB1FB48305F15806AD816BB281D7785996DF45

Function 004066CD Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 948a468c2091db2feb9fa4c22586628b65dd678cc983fa395508304452d62250
Instruction ID: 3e9dbefe820a1d4baf734be7fb741bb2fb66d8e6f9ed59188b506b6c9edb630d
Opcode Fuzzy Hash: 948a468c2091db2feb9fa4c22586628b65dd678cc983fa395508304452d62250
Instruction Fuzzy Hash: AB711371E00228CBDF28CF98C884BADBBB1FB44305F15816ED816BB281D7786996DF45

Function 00406619 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d63a3d575cf43ccaec2b316c623d79440d1cb8ee82c5371297a3fda91248972
Instruction ID: 1812ff5f5430a706778d8acc512246fd3c212bc7acfdfbe5d0fa3af8c8d1a12f
Opcode Fuzzy Hash: 2d63a3d575cf43ccaec2b316c623d79440d1cb8ee82c5371297a3fda91248972
Instruction Fuzzy Hash: AD712471E00228CBDF28DF98C844BADBBB1FB44305F15806ED856BB291C7786A96DF45

Function 00402F1F Relevance: 4.6, APIs: 3, Instructions: 95fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00409130,00000000,00000000,00000000,00000000,?,?,?,00402ECB,000000FF,00000000,00000000,00409130,?), ref: 00402F45
WriteFile.KERNELBASE(00000000,004128A0,?,000000FF,00000000,004128A0,00004000,00409130,00409130,00000004,00000004,00000000,00000000,?,?), ref: 00402FD2

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: 41928112f34441f9b3539e2a42aa88ab340ce8e3764aaba8d566e6229e32b04b
Instruction ID: 3b6e370e410e3f669d4a968ba26e16673121f6254c39c59cd6eb20204b18cf3c
Opcode Fuzzy Hash: 41928112f34441f9b3539e2a42aa88ab340ce8e3764aaba8d566e6229e32b04b
Instruction Fuzzy Hash: 14313931502259FFDF20DF55DD44A9E3BA8EF04395F20403AF908A61D0D2789A41EBA9

Function 00401E32 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0040501F: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405058
Part of subcall function 0040501F: lstrlenA.KERNEL32(00402C51,Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405068
Part of subcall function 0040501F: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,00402C51,00402C51,Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,00000000,00000000,00000000), ref: 0040507B
Part of subcall function 0040501F: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll), ref: 0040508D
Part of subcall function 0040501F: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050B3
Part of subcall function 0040501F: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004050CD
Part of subcall function 0040501F: SendMessageA.USER32(?,00001013,?,00000000), ref: 004050DB

Part of subcall function 004054E5: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421500,Error launching installer), ref: 0040550E
Part of subcall function 004054E5: CloseHandle.KERNEL32(?), ref: 0040551B

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E6C
GetExitCodeProcess.KERNEL32(?,?), ref: 00401E7C
CloseHandle.KERNELBASE(?,00000000,000000EB,00000000), ref: 00401EA1

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
String ID:
API String ID: 3521207402-0
Opcode ID: 6d5b4df7f3f042f549e26a8ca851069bd4f569f0361fe87acde780f9e8383ee7
Instruction ID: a57a420adebbec2e463a2757bf84d9d81012cc1a8c5c1569ff173e75ada2264d
Opcode Fuzzy Hash: 6d5b4df7f3f042f549e26a8ca851069bd4f569f0361fe87acde780f9e8383ee7
Instruction Fuzzy Hash: 66014031904114FBDF21AFA1DD859EE7B71EB40345F10857BFA01B51E1C3794A81EBAA

Function 00405C1D Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,00405E62,00000000,00000002,?,00000002,?,?,00405E62,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405C46
RegQueryValueExA.KERNELBASE(?,?,00000000,00405E62,?,00405E62), ref: 00405C67
RegCloseKey.KERNELBASE(?), ref: 00405C88

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
Instruction ID: f8269c4da42e469e915d7b724f411cb256963c2af92f405d5d85614ed9ec7fb6
Opcode Fuzzy Hash: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
Instruction Fuzzy Hash: 8801487114420EEFEB128F64EC44EEB3FACEF15394F00402AF945A6220D235D964DBA5

Function 0040243A Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B07: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B2F

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402468
RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 0040247B
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsnA57E.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 644ba4b7322b66dce4c699ceae064ea5186855f8b21283cab721fd429f29c5cc
Instruction ID: 09a8887cd5e4729410dcfabe5c46d2a670465c21522258ca6cdcbf1033b2090e
Opcode Fuzzy Hash: 644ba4b7322b66dce4c699ceae064ea5186855f8b21283cab721fd429f29c5cc
Instruction Fuzzy Hash: E8F08671904204FFD7119F659D8CEBF7A6CEB40748F10453EF441B62C0D6B95E41966A

Function 004055AE Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004059A2: GetFileAttributesA.KERNELBASE(?,?,004055BA,?,?,00000000,0040579D,?,?,?,?), ref: 004059A7
Part of subcall function 004059A2: SetFileAttributesA.KERNELBASE(?,00000000), ref: 004059BB

RemoveDirectoryA.KERNEL32(?,?,?,00000000,0040579D), ref: 004055C9
DeleteFileA.KERNELBASE(?,?,?,00000000,0040579D), ref: 004055D1
SetFileAttributesA.KERNEL32(?,00000000), ref: 004055E9

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: abd038863be241f110d95ccd9fde628896f101e4ff1c11c0b7d20b5ecf2a2518
Instruction ID: 12c6f0b15b18e033ed95b071f1fc2c07b3079c0683f10f414bd997d86f240b92
Opcode Fuzzy Hash: abd038863be241f110d95ccd9fde628896f101e4ff1c11c0b7d20b5ecf2a2518
Instruction Fuzzy Hash: 98E0E532518A5067C21057309D08A5F3ADADFCA324F044936F492F21D4DB7848068ABA

Function 00401DD8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike,?), ref: 00401E1E

Strings

C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike, xrefs: 00401E09

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: ExecuteShell
String ID: C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike
API String ID: 587946157-862733243
Opcode ID: 66519f536f70328b3ce23f8ed94e950144d2fd5449f9bef0e6ae71cafd5ff2e4
Instruction ID: 92cbb6ba42742382510c3a8e41a68a30635fa0dc9ae6a59fa4a75f74f7b170a3
Opcode Fuzzy Hash: 66519f536f70328b3ce23f8ed94e950144d2fd5449f9bef0e6ae71cafd5ff2e4
Instruction Fuzzy Hash: 8DF0F6B3B041047ACB41ABB59E4AE5D2BA4EB41718F240A3BF400F71C2DAFC8841F728

Function 100027EC Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 100028AB
GetLastError.KERNEL32 ref: 100029B2

Memory Dump Source

Source File: 00000000.00000002.3910620506.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3910603560.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3910638325.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3910652324.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Ricowell Ind New INQ.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 10da2a693ced731503c2d5b3de2f7fe8e431c949d2a6016fe146597bbe82a282
Instruction ID: 2b4501ff186f60f2b29b8b71d76009b37135a14f8b8ad132536a4a21bb517402
Opcode Fuzzy Hash: 10da2a693ced731503c2d5b3de2f7fe8e431c949d2a6016fe146597bbe82a282
Instruction Fuzzy Hash: 9E51A4BA908214DFFB14DF60DCC5B5937A8EB443D4F218429EA08E725DDF38A981CB94

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a519dadb84f5fbb5742ded63e05e15cde03a873041ee9604df24846d4002906c
Instruction ID: da56ad7cfcb2a9fecb994a09e4a0bd113f750103611445cd7b28aada07ee45e3
Opcode Fuzzy Hash: a519dadb84f5fbb5742ded63e05e15cde03a873041ee9604df24846d4002906c
Instruction Fuzzy Hash: 2E012831B24210ABE7294B389D04B6A369CE710328F11823BF811F72F1D6B8DC42DB4D

Function 004019F1 Relevance: 3.0, APIs: 2, Instructions: 30stringCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNELBASE(00000000,?,00000400,00000001), ref: 00401A04
lstrcmpA.KERNEL32(?,?,?,00000400,00000001), ref: 00401A17

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: EnvironmentExpandStringslstrcmp
String ID:
API String ID: 1938659011-0
Opcode ID: 9bea9ff0f32edb465556edde0149644beb3132e1d0783da20080aef97cccd5be
Instruction ID: e1e98ceffc8efcc411d1cb62caadeb15d6b2150a68b253517cb8490ae8184d68
Opcode Fuzzy Hash: 9bea9ff0f32edb465556edde0149644beb3132e1d0783da20080aef97cccd5be
Instruction Fuzzy Hash: 2FF0A772F05201EBCB21CF699D44A9B7FE4EF51350B10803BE545F6190D2788541EB59

Function 00401DAC Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DC2
EnableWindow.USER32(00000000,00000000), ref: 00401DCD

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 5d4156b77268c72d9e3eaff2de93184d03509ee6b077f4337f4a820dda01516b
Instruction ID: 18ac702c75a7039fec00373c4f699ed09bc4c8ec852dd7b5b9a0ef8cb6e9c66a
Opcode Fuzzy Hash: 5d4156b77268c72d9e3eaff2de93184d03509ee6b077f4337f4a820dda01516b
Instruction Fuzzy Hash: 39E0CD72B04110EBCB10BBB45D4A55E3374DF10359B10443BF501F11C1D2B85C40565D

Function 004059C7 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402CBC,C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe,80000000,00000003), ref: 004059CB
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059ED

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: b262a0f40d66ad03986e5cb00ab33bb84fd1bf9937e58ea257525f7228853690
Instruction ID: 21e5f81f3e52fa2c8f9e5bc24a994218dd140026ef3a1e453d479de883aad6ce
Opcode Fuzzy Hash: b262a0f40d66ad03986e5cb00ab33bb84fd1bf9937e58ea257525f7228853690
Instruction Fuzzy Hash: 94D09E31668301AFEF098F20DD16F2E7BA2EB84B00F10562CB682D40E0D6755815DB16

Function 004059A2 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,004055BA,?,?,00000000,0040579D,?,?,?,?), ref: 004059A7
SetFileAttributesA.KERNELBASE(?,00000000), ref: 004059BB

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9001e84463e5b3d4dd00ca1d2e00f3bb66c1d6c16300b22364f3152d7eb201de
Instruction ID: a98ca5448702c3e829ea1667e49b0be7f6aa4c87fef4348ac0342a167d80fd98
Opcode Fuzzy Hash: 9001e84463e5b3d4dd00ca1d2e00f3bb66c1d6c16300b22364f3152d7eb201de
Instruction Fuzzy Hash: 19D0C9B2918120EBC2102728AD0889BBF69EB542717018B31F865A22B0C7304C52DAA9

Function 00402519 Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 782d5d7a015de57d641f2625727537b2e8a64e8a203226d51b7ee4238bd53e1d
Instruction ID: 80d1f72451bcef36c881c8715d37a41c16cfaf5c23ac720a97db8ffa6bd4d959
Opcode Fuzzy Hash: 782d5d7a015de57d641f2625727537b2e8a64e8a203226d51b7ee4238bd53e1d
Instruction Fuzzy Hash: C121D870D05295BEDF229F644A581EEBBB09B05304F64407FE491BA3C5E1BC9A82CB2D

Function 0040223B Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 00402274

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 9ff6483e56f83e050050973c75d29e7e6846100e3a8c6593062fb544488b0e4d
Instruction ID: 05d4d75dbd01593bae97f630dbecede8c42f44da552b6d0f9ca4defc7305ba5b
Opcode Fuzzy Hash: 9ff6483e56f83e050050973c75d29e7e6846100e3a8c6593062fb544488b0e4d
Instruction Fuzzy Hash: 2FE04F72B001696ADB903AF18F8DD7F21597B84304F15067EF611B62C2D9BC0D81A2B9

Function 004025D3 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 004025ED

Part of subcall function 00405C94: wsprintfA.USER32 ref: 00405CA1

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: f6b622efafe1ba94147637c824cd162c2e50e451d5b8b7382d4d1d46b47572d6
Instruction ID: 0a8c9e11f48196ea829b02b8213bca88da5b23a5d36cc3de3ae654890f4390ea
Opcode Fuzzy Hash: f6b622efafe1ba94147637c824cd162c2e50e451d5b8b7382d4d1d46b47572d6
Instruction Fuzzy Hash: E4E04FB6A04220BBDB01BBA59E4ADBF6768EB50309B14853BF501F40C1D3BD4802962E

Function 00402B07 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B2F

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ebfeba3ed9c8d95cb46d76ca19a6c1a04daa5e79448631d0a062a8db0bedbb5d
Instruction ID: 087740a894708ae54e311fe38564fcb001a0ed9e3d0f4d4a62d19f1d4de25a1d
Opcode Fuzzy Hash: ebfeba3ed9c8d95cb46d76ca19a6c1a04daa5e79448631d0a062a8db0bedbb5d
Instruction Fuzzy Hash: 38E046B6250108AADB40EFA4EE4AF9537ECFB04700F008021BA08E7091CA78E5509B69

Function 00405A3F Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00409130,00000000,00000000,00000000,00000000,004128A0,0040A8A0,004031C9,00409130,00409130,004030BB,004128A0,00004000,?,00000000,?), ref: 00405A53

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 36ce21e0183dc59356ed1b7b138b7ffe2bb5c4fd6ccae5392a8977301763c5ee
Instruction ID: 55609983f428609d3339a900fe5ea2c3161a13bcf9e808ef2cae39733250456b
Opcode Fuzzy Hash: 36ce21e0183dc59356ed1b7b138b7ffe2bb5c4fd6ccae5392a8977301763c5ee
Instruction Fuzzy Hash: F7E08C3231025AABDF109EA09C40AEB3B6CEB00760F084432FA14E2040D230E9218FA5

Function 1000270F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(1000404C,00000004,00000040,1000403C), ref: 1000272D

Memory Dump Source

Source File: 00000000.00000002.3910620506.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3910603560.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3910638325.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3910652324.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Ricowell Ind New INQ.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction ID: 4dab7c069dd6fc30f8915db09394f7f991a1b088a201bba37056324bf7fcc065
Opcode Fuzzy Hash: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction Fuzzy Hash: 98F09BF19092A0DEF360DF688CC47063FE4E3993D5B03852AE358F6269EB7441448B19

Function 0040227F Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 004022B2

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: f8d132d461a5c4ed5c76335474cd8e98aaa4b1821b9353edac55918b86fd9ae5
Instruction ID: 1024819f7f1d2ea578916dba6ac29c28ac22902c13986e1de9ff5d702d2d6265
Opcode Fuzzy Hash: f8d132d461a5c4ed5c76335474cd8e98aaa4b1821b9353edac55918b86fd9ae5
Instruction Fuzzy Hash: B9E08671A44209BADB406FA08E09EBD3668BF01710F10013AF9507B0D1EBB88442F72D

Function 00401595 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A0

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c66d089d5a2f634c2935052129529c912c52a98a4509ae0e2fc4e9bc41e15f47
Instruction ID: bed2877986d8c12a83e01492d596720214e57a472dec7050afa6ab6fccae40cd
Opcode Fuzzy Hash: c66d089d5a2f634c2935052129529c912c52a98a4509ae0e2fc4e9bc41e15f47
Instruction Fuzzy Hash: 17D01277B08114E7DB00DBB5AE48A9E73A4FB50325F208637D111F11D0D3B98551A629

Function 00404038 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(0001044C,00000000,00000000,00000000), ref: 0040404A

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction ID: af7fd4c3fc1dda8ad1a195a9021ea177fcc43fc0d0bb539f8953ea950d20d41d
Opcode Fuzzy Hash: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction Fuzzy Hash: DFC09B717443007BEA31DB509D49F077758A750B00F5584357320F50D0C6B4F451D62D

Function 00404021 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403E52), ref: 0040402F

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction ID: 7b5ccc39adf6f72de5191684d4495c6b43ffe58f78915606d69c4a7e6f44d702
Opcode Fuzzy Hash: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction Fuzzy Hash: F3B092B5684200BAEE224B40DD09F457EA2E7A4702F008024B300240B0C6B200A1DB19

Function 004031CC Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EA4,?), ref: 004031DA

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D

Function 0040400E Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403DEB), ref: 00404018

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: caaff2729d3fe7bae5ae998927534049a5cfce9e2193b3926e4c56a419af128c
Instruction ID: f87940b9544c4de7e657a104dd6f20edac94ef916c9b89b279468f5034d51d6a
Opcode Fuzzy Hash: caaff2729d3fe7bae5ae998927534049a5cfce9e2193b3926e4c56a419af128c
Instruction Fuzzy Hash: E2A01231404001DBCB014B10DF04C45FF21B7503007018030E50140034C6310420FF09

Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014E5

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c9c2d380323125baba7308e94fb33277af884a6ec96610a08fce4469fec28eac
Instruction ID: 4daead48d26ae6742cc4751adb680189456718570d67c7320b978f12710e1ab5
Opcode Fuzzy Hash: c9c2d380323125baba7308e94fb33277af884a6ec96610a08fce4469fec28eac
Instruction Fuzzy Hash: DFD0C7B7B141006BD750E7B86E8545A73E8F75135A7148837D502E1191D17DC9415519

Function 10001215 Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

Memory Dump Source

Source File: 00000000.00000002.3910620506.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3910603560.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3910638325.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3910652324.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Ricowell Ind New INQ.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
Instruction ID: 35b308b173d9b0532f6cde55f5bface33093279d7ce3c78a2cc6db588f634b90
Opcode Fuzzy Hash: 6989041179a6ec659f8410a82a3610e1053cc9f4ca9d652552d89decbf4b4a90
Instruction Fuzzy Hash: 6CA002B1945620DBFE429BE08D9EF1B3B25E748781F01C040E315641BCCA754010DF39

Non-executed Functions

Function 0040499C Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049B4
GetDlgItem.USER32(?,00000408), ref: 004049BF
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A09
LoadBitmapA.USER32(0000006E), ref: 00404A1C
SetWindowLongA.USER32(?,000000FC,00404F93), ref: 00404A35
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A49
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404A5B
SendMessageA.USER32(?,00001109,00000002), ref: 00404A71
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404A7D
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404A8F
DeleteObject.GDI32(00000000), ref: 00404A92
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404ABD
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404AC9
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B5E
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404B89
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B9D
GetWindowLongA.USER32(?,000000F0), ref: 00404BCC
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404BDA
ShowWindow.USER32(?,00000005), ref: 00404BEB
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404CE8
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404D4D
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404D62
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404D86
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404DA6
ImageList_Destroy.COMCTL32(00000000), ref: 00404DBB
GlobalFree.KERNEL32(00000000), ref: 00404DCB
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404E44
SendMessageA.USER32(?,00001102,?,?), ref: 00404EED
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404EFC
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F1C
ShowWindow.USER32(?,00000000), ref: 00404F6A
GetDlgItem.USER32(?,000003FE), ref: 00404F75
ShowWindow.USER32(00000000), ref: 00404F7C

Strings

M, xrefs: 00404B45
, xrefs: 00404F54
N, xrefs: 00404C26

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: f96aeeab4a25318005a3a9f7b7ecea2fbdc3284bb246aef355b8d85046c4ff9d
Instruction ID: ec1b41ef9246f4b5ca9c31e675ea93c5522bc938a585a88f05d0904c7564d9ec
Opcode Fuzzy Hash: f96aeeab4a25318005a3a9f7b7ecea2fbdc3284bb246aef355b8d85046c4ff9d
Instruction Fuzzy Hash: 7A025FB0900209AFEB10DF94DC85AAE7BB5FB84315F10817AFA10B62E1D7789D42DF58

Function 0040442A Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404479
SetWindowTextA.USER32(00000000,?), ref: 004044A3
SHBrowseForFolderA.SHELL32(?,0041F0D0,?), ref: 00404554
CoTaskMemFree.OLE32(00000000), ref: 0040455F
lstrcmpiA.KERNEL32(Call,Tosporet Setup: Installing), ref: 00404591
lstrcatA.KERNEL32(?,Call), ref: 0040459D
SetDlgItemTextA.USER32(?,000003FB,?), ref: 004045AF

Part of subcall function 0040552E: GetDlgItemTextA.USER32(?,?,00000400,004045E6), ref: 00405541

Part of subcall function 00405FA1: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 00405FF9
Part of subcall function 00405FA1: CharNextA.USER32(?,?,?,00000000), ref: 00406006
Part of subcall function 00405FA1: CharNextA.USER32(?,"C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 0040600B
Part of subcall function 00405FA1: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 0040601B

GetDiskFreeSpaceA.KERNEL32(0041ECC8,?,?,0000040F,?,0041ECC8,0041ECC8,?,00000000,0041ECC8,?,?,000003FB,?), ref: 0040466C
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404687

Part of subcall function 004047E0: lstrlenA.KERNEL32(Tosporet Setup: Installing,Tosporet Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004046FB,000000DF,00000000,00000400,?), ref: 0040487E
Part of subcall function 004047E0: wsprintfA.USER32 ref: 00404886
Part of subcall function 004047E0: SetDlgItemTextA.USER32(?,Tosporet Setup: Installing), ref: 00404899

Strings

Call, xrefs: 0040458B, 00404590, 0040459B
A, xrefs: 0040454D
Tosporet Setup: Installing, xrefs: 00404527, 0040458A
C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike, xrefs: 0040457A

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike$Call$Tosporet Setup: Installing
API String ID: 2624150263-4253715792
Opcode ID: f98f00a644f458d2e02a584555e30f134e65ef2c05e9b8026b1db21ee3dd4a2e
Instruction ID: 5a451af96f6c61f8b8aedc9e732e962e3b59a2a539d705b9404eba0a1a8e20eb
Opcode Fuzzy Hash: f98f00a644f458d2e02a584555e30f134e65ef2c05e9b8026b1db21ee3dd4a2e
Instruction Fuzzy Hash: A6A162B1900208ABDB11AFA6CD45AEFB7B9EF85314F10843BF611B72D1D77C89418B69

Function 00402645 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402654

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 8c73969c0d40863ae126986d1f1e8202bdf4bd21bda08d418c229d82633c171d
Instruction ID: 2b7524724565807a685c72c68d6b6eabb337ae57375c882a310f3ed35d4a28aa
Opcode Fuzzy Hash: 8c73969c0d40863ae126986d1f1e8202bdf4bd21bda08d418c229d82633c171d
Instruction Fuzzy Hash: D4F0EC72504110EBD700EBB4994DAEE77B8DF51314F60457BE141F21C1D3B84945E72E

Function 00404135 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 205windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004041C0
GetDlgItem.USER32(00000000,000003E8), ref: 004041D4
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004041F2
GetSysColor.USER32(?), ref: 00404203
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404212
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404221
lstrlenA.KERNEL32(?), ref: 00404224
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404233
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404248
GetDlgItem.USER32(?,0000040A), ref: 004042AA
SendMessageA.USER32(00000000), ref: 004042AD
GetDlgItem.USER32(?,000003E8), ref: 004042D8
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404318
LoadCursorA.USER32(00000000,00007F02), ref: 00404327
SetCursor.USER32(00000000), ref: 00404330
ShellExecuteA.SHELL32(0000070B,open,004226A0,00000000,00000000,00000001), ref: 00404343
LoadCursorA.USER32(00000000,00007F00), ref: 00404350
SetCursor.USER32(00000000), ref: 00404353
SendMessageA.USER32(00000111,00000001,00000000), ref: 0040437F
SendMessageA.USER32(00000010,00000000,00000000), ref: 00404393

Strings

Call, xrefs: 00404303
open, xrefs: 0040433B
N, xrefs: 004042C6

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: Call$N$open
API String ID: 3615053054-2563687911
Opcode ID: aa854a75b9a8ef41e2656ff54a1ab69c816baf86c41e2f577b142ace3155aca6
Instruction ID: 47d1c741c4840d0b501b4796cf3fe0e3440e9ec9cd7b0debe1a5eac4f9bfffd7
Opcode Fuzzy Hash: aa854a75b9a8ef41e2656ff54a1ab69c816baf86c41e2f577b142ace3155aca6
Instruction Fuzzy Hash: 8F61A0B1A40309BFEB109F61DD45F6A7B69FB84704F108026FB04BB2D1C7B8A951CB99

Function 00405A6E Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00421A88,NUL,?,00000000,?,00000000,?,00405C12,?,?,00000001,004057B5,?,00000000,000000F1,?), ref: 00405A7E
CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,?,00405C12,?,?,00000001,004057B5,?,00000000,000000F1,?), ref: 00405AA2
GetShortPathNameA.KERNEL32(00000000,00421A88,00000400), ref: 00405AAB

Part of subcall function 0040592C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B5B,00000000,[Rename],00000000,00000000,00000000), ref: 0040593C
Part of subcall function 0040592C: lstrlenA.KERNEL32(00405B5B,?,00000000,00405B5B,00000000,[Rename],00000000,00000000,00000000), ref: 0040596E

GetShortPathNameA.KERNEL32(?,00421E88,00000400), ref: 00405AC8
wsprintfA.USER32 ref: 00405AE6
GetFileSize.KERNEL32(00000000,00000000,00421E88,C0000000,00000004,00421E88,?,?,?,?,?), ref: 00405B21
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405B30
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405B68
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00421688,00000000,-0000000A,004093A0,00000000,[Rename],00000000,00000000,00000000), ref: 00405BBE
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405BD0
GlobalFree.KERNEL32(00000000), ref: 00405BD7
CloseHandle.KERNEL32(00000000), ref: 00405BDE

Part of subcall function 004059C7: GetFileAttributesA.KERNELBASE(00000003,00402CBC,C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe,80000000,00000003), ref: 004059CB
Part of subcall function 004059C7: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059ED

Strings

%s=%s, xrefs: 00405ADC
[Rename], xrefs: 00405B50, 00405B62
NUL, xrefs: 00405A78

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 1265525490-4148678300
Opcode ID: 10d4b8fe51d6b6f2625f365b8b26cf256cf2f07af5c2bd562b8105816d8408bc
Instruction ID: 2d1e09aab0418ff75005a817fdb93eb8b9645243d234663ae25a64343302d3c0
Opcode Fuzzy Hash: 10d4b8fe51d6b6f2625f365b8b26cf256cf2f07af5c2bd562b8105816d8408bc
Instruction Fuzzy Hash: BE41DEB1604A15BFD6206B219C49F6B3A6CDF45718F14053BBE01FA2D2EA7CB8018E7D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00422F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: c2d680870d7abd1e1a74e136b5aebc8f23ebe5596e06de1d1944de18111d68fb
Instruction ID: ce5436bc7dfccdabf5b2378cdbc04c65b8fc1f8d51739f20964cb8902a5fcb59
Opcode Fuzzy Hash: c2d680870d7abd1e1a74e136b5aebc8f23ebe5596e06de1d1944de18111d68fb
Instruction Fuzzy Hash: F2419A72804249AFCF058F94CD459AFBFB9FF44310F00812AF961AA1A0C738EA50DFA5

Function 00405FA1 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 00405FF9
CharNextA.USER32(?,?,?,00000000), ref: 00406006
CharNextA.USER32(?,"C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 0040600B
CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 0040601B

Strings

*?|<>/":, xrefs: 00405FE9
C:\Users\user\AppData\Local\Temp\, xrefs: 00405FA2, 00405FA7
"C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe", xrefs: 00405FDD

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3818978384
Opcode ID: cac177dc58e6cdce4745106bcf32f060ca56d97be21c35c0cc42ba282efa81fa
Instruction ID: 96a923a8ee4f60b6f191beee89bac6a1f57d38d5d4ddb578b75945660f6dc773
Opcode Fuzzy Hash: cac177dc58e6cdce4745106bcf32f060ca56d97be21c35c0cc42ba282efa81fa
Instruction Fuzzy Hash: 57110451908B9229FB325A284C40B777F99CF5A760F18047FE5C1722C2C67C5C529B6E

Function 00404053 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00404070
GetSysColor.USER32(00000000), ref: 0040408C
SetTextColor.GDI32(?,00000000), ref: 00404098
SetBkMode.GDI32(?,?), ref: 004040A4
GetSysColor.USER32(?), ref: 004040B7
SetBkColor.GDI32(?,?), ref: 004040C7
DeleteObject.GDI32(?), ref: 004040E1
CreateBrushIndirect.GDI32(?), ref: 004040EB

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction ID: 47825c477eeffae7bcc1b4b45db8633c52535f80fcd06c8b97140eed864a5805
Opcode Fuzzy Hash: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction Fuzzy Hash: 0621A4B18047049BCB309F68DD08B4BBBF8AF40714F048639EA95F26E1C738E944CB65

Function 100021FA Relevance: 10.6, APIs: 7, Instructions: 139memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 1000234A

Part of subcall function 10001224: lstrcpynA.KERNEL32(00000000,?,100012CF,-1000404B,100011AB,-000000A0), ref: 10001234

GlobalAlloc.KERNEL32(00000040,?), ref: 100022C3
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 100022D8
GlobalAlloc.KERNEL32(00000040,00000010), ref: 100022E7
CLSIDFromString.OLE32(00000000,00000000), ref: 100022F4
GlobalFree.KERNEL32(00000000), ref: 100022FB

Memory Dump Source

Source File: 00000000.00000002.3910620506.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3910603560.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3910638325.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3910652324.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Ricowell Ind New INQ.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID:
API String ID: 3730416702-0
Opcode ID: 5812f53bea9c9c9f79666072e50bc0f3831b96dbb387c6cf78516ccbd9521935
Instruction ID: fe65b043c70383bd2b49c92c90746d4950a0c6047a38c1932a2dc3020861886a
Opcode Fuzzy Hash: 5812f53bea9c9c9f79666072e50bc0f3831b96dbb387c6cf78516ccbd9521935
Instruction Fuzzy Hash: F6418BB1108711EFF720DFA48884B5BB7F8FF443D1F218929F946D61A9DB34AA448B61

Function 100023DA Relevance: 10.6, APIs: 7, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 10001215: GlobalAlloc.KERNELBASE(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalFree.KERNEL32(?), ref: 100024B9
GlobalFree.KERNEL32(00000000), ref: 100024F3

Memory Dump Source

Source File: 00000000.00000002.3910620506.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3910603560.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3910638325.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3910652324.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Ricowell Ind New INQ.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 28705be4039c1f606362c20ff13fdce37c258c5b4734a68cc6567389004174f8
Instruction ID: 82133e1bc6da927614d5bcfc3b496831b4cb396c3e6da136b8b2dca3161aa200
Opcode Fuzzy Hash: 28705be4039c1f606362c20ff13fdce37c258c5b4734a68cc6567389004174f8
Instruction Fuzzy Hash: 75319CB1504251EFF722CF94CCC4C6B7BBDEB852D4B128569FA4193228DB31AC54DB62

Function 00402683 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D7
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026F3
GlobalFree.KERNEL32(?), ref: 0040272C
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 0040273E
GlobalFree.KERNEL32(00000000), ref: 00402745
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 0040275D
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 00402771

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 0f129fd7f7df80537c5f9e1eb6f54556ad660c5267986f7df7bd7c5007d73d3e
Instruction ID: 552098977e22cffcc29eaacdabede243c0f20e1b5d71923adfcfca28e3e686eb
Opcode Fuzzy Hash: 0f129fd7f7df80537c5f9e1eb6f54556ad660c5267986f7df7bd7c5007d73d3e
Instruction Fuzzy Hash: 63318DB1C00118BFCF216FA5CD89DAE7E79EF09364F10423AF520762E1C6795D419BA9

Function 00402BDA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402BF2
GetTickCount.KERNEL32 ref: 00402C10
wsprintfA.USER32 ref: 00402C3E

Part of subcall function 0040501F: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405058
Part of subcall function 0040501F: lstrlenA.KERNEL32(00402C51,Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405068
Part of subcall function 0040501F: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,00402C51,00402C51,Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,00000000,00000000,00000000), ref: 0040507B
Part of subcall function 0040501F: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll), ref: 0040508D
Part of subcall function 0040501F: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050B3
Part of subcall function 0040501F: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004050CD
Part of subcall function 0040501F: SendMessageA.USER32(?,00001013,?,00000000), ref: 004050DB

CreateDialogParamA.USER32(0000006F,00000000,00402B42,00000000), ref: 00402C62
ShowWindow.USER32(00000000,00000005), ref: 00402C70

Part of subcall function 00402BBE: MulDiv.KERNEL32(00036845,00000064,00038D48), ref: 00402BD3

Strings

... %d%%, xrefs: 00402C38

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 4774796197fe5164bdbc165248605a4c2f395ef1972e6126fe3027443e66bd13
Instruction ID: 53b2eec8c243fd5a5b591a6d8e7090b5e500d3da6e0592f5c5af2241ed808ea0
Opcode Fuzzy Hash: 4774796197fe5164bdbc165248605a4c2f395ef1972e6126fe3027443e66bd13
Instruction Fuzzy Hash: AB0188B0949614ABDB216F64AE4DE9F7B7CFB017057148037FA01B11E1C6B8D541CBAE

Function 004048EA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404905
GetMessagePos.USER32 ref: 0040490D
ScreenToClient.USER32(?,?), ref: 00404927
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404939
SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040495F

Strings

f, xrefs: 0040493B

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction ID: 7baaa9b85802c8a5173365c44ed2834cc31749f5d024e9fb4d2ec5e64c2f69ce
Opcode Fuzzy Hash: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction Fuzzy Hash: E40140B1D00218BADB01DBA4DC85FFFBBBCAB95721F10412BBA10B61D0C7B469018BA5

Function 00402B42 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B5D
wsprintfA.USER32 ref: 00402B91
SetWindowTextA.USER32(?,?), ref: 00402BA1
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BB3

Strings

verifying installer: %d%%, xrefs: 00402B86, 00402B8F
unpacking data: %d%%, xrefs: 00402B7F

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: bccffcf18056edd42c20cb723d80919439a72dcdb3cc8cc3de12e394d3f134cc
Instruction ID: 4b4d840d1cf11f9656568dd8641bec75cd76f4f3bd4f461a87d93eb2d0bf3f96
Opcode Fuzzy Hash: bccffcf18056edd42c20cb723d80919439a72dcdb3cc8cc3de12e394d3f134cc
Instruction Fuzzy Hash: F7F01D70900208BBEF215F61DD4ABEE3779EB00345F00803AFA06B51D0D7F8AA558B9A

Function 004047E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(Tosporet Setup: Installing,Tosporet Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004046FB,000000DF,00000000,00000400,?), ref: 0040487E
wsprintfA.USER32 ref: 00404886
SetDlgItemTextA.USER32(?,Tosporet Setup: Installing), ref: 00404899

Strings

%u.%u%s%s, xrefs: 00404868
Tosporet Setup: Installing, xrefs: 00404870, 00404875, 0040487B, 0040488F

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Tosporet Setup: Installing
API String ID: 3540041739-4004758435
Opcode ID: 878f77dbdcb51275c09da16e61d4023f379ce68319930481f66ff31823ee0149
Instruction ID: 8631c14a921e8479d2aaee063571767324bc63c1cfe9171b6f21c1c007081b9c
Opcode Fuzzy Hash: 878f77dbdcb51275c09da16e61d4023f379ce68319930481f66ff31823ee0149
Instruction Fuzzy Hash: 90112433A441283BDB0065AD9C49EAF328CDF81334F244637FA25F61D1E9788C1292E8

Function 1000180D Relevance: 7.7, APIs: 5, Instructions: 189COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 10001869
GlobalFree.KERNEL32(?), ref: 100019EF
GlobalFree.KERNEL32(?), ref: 100019F4

Memory Dump Source

Source File: 00000000.00000002.3910620506.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3910603560.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3910638325.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3910652324.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Ricowell Ind New INQ.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 0c473814e0966ac58776859a9061c1e440c53011a0554eaa903a9fb75293bb16
Instruction ID: 97b6efd1b10b48d7ee9b7c7fbc92de58723c24235f199e6d6d25645bb0e8c5d4
Opcode Fuzzy Hash: 0c473814e0966ac58776859a9061c1e440c53011a0554eaa903a9fb75293bb16
Instruction Fuzzy Hash: DC512532D04159AEFB55DFB488A4AEEBBF6EF453C0F12416AE841B315DCA306E4087D2

Function 00402A3D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A5E
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A9A
RegCloseKey.ADVAPI32(?), ref: 00402AA3
RegCloseKey.ADVAPI32(?), ref: 00402AC8
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AE6

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 5733a3c7ed8837a4e33d89bc0436a18c4a21248f1d51b77dead4e3ad8d80db37
Instruction ID: 1cfc72d501241f28ff1c9237e437913a5e8660848d06dce24e2e83bd327c9a1b
Opcode Fuzzy Hash: 5733a3c7ed8837a4e33d89bc0436a18c4a21248f1d51b77dead4e3ad8d80db37
Instruction Fuzzy Hash: EA114F71A00108FFDF219F90DE48EAA3B7DEB44349B104076FA05B11A0DBB49E559F69

Function 00401CCC Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CD0
GetClientRect.USER32(00000000,?), ref: 00401CDD
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CFE
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D0C
DeleteObject.GDI32(00000000), ref: 00401D1B

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: feff7bd0ac8b8d98e410c971607266924d1cc5c353d4854e70ab97e8d29ee8d5
Instruction ID: 68903ef9478fc0d920f95a79cd5396482650d24808bb52901199de5d2149753e
Opcode Fuzzy Hash: feff7bd0ac8b8d98e410c971607266924d1cc5c353d4854e70ab97e8d29ee8d5
Instruction Fuzzy Hash: 06F062B2A05114BFD701DBA4EE88CAF77BCEB44301B008576F501F2091C7389D019B79

Function 00401D26 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D29
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D36
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D45
ReleaseDC.USER32(?,00000000), ref: 00401D56
CreateFontIndirectA.GDI32(0040A7D0), ref: 00401DA1

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 7af4cf4b66e980d364c2e3aa9c64882f60449cc7f52f10eab55021efc1d5f786
Instruction ID: b452d76144ce78c1ea2c31cbd89393ff29a213aa8dcca448cc35c7c7cb6754f7
Opcode Fuzzy Hash: 7af4cf4b66e980d364c2e3aa9c64882f60449cc7f52f10eab55021efc1d5f786
Instruction Fuzzy Hash: F8011271948340AFE701DBB0AE0EB9A7F74EB19705F108535F141B72E2C6B954159B2F

Function 00401BB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C18
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C30

Strings

!, xrefs: 00401BEC

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 223d8f7865d2b1dd0e95bc8f55079009c40be9e2a37a1be7db68750e4265ac19
Instruction ID: c8505a4ed1fbcfe48898eca751f608fe424cacc25c72cee6cab93c7adb8e4515
Opcode Fuzzy Hash: 223d8f7865d2b1dd0e95bc8f55079009c40be9e2a37a1be7db68750e4265ac19
Instruction Fuzzy Hash: 742190B1A44208BFEF41AFB4CD4AAAE7BB5EF40344F14453EF541B61D1D6B89A40E728

Function 00403A4C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,00422F00), ref: 00403AE4

Strings

Tosporet Setup: Installing, xrefs: 00403A4F
"C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe", xrefs: 00403A4D
1033, xrefs: 00403A50, 00403A5A, 00403ACB

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe"$1033$Tosporet Setup: Installing
API String ID: 530164218-2083703288
Opcode ID: c20953c35db1116ecdf277b9f7b3923fed37fef6e8e5c3a171d6f7dc7f85f207
Instruction ID: 694a286dd4981efc18ef326c294584d4bec2a1602357d8abc11fec8a6f834ca0
Opcode Fuzzy Hash: c20953c35db1116ecdf277b9f7b3923fed37fef6e8e5c3a171d6f7dc7f85f207
Instruction Fuzzy Hash: EC11D4B1B046109BCB24DF15DC809337BBDEB8471A329813BE941A73A1C73D9E029A98

Function 004057C6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403201,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 004057CC
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403201,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 004057D5
lstrcatA.KERNEL32(?,00409014), ref: 004057E6

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004057C6

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-4083868402
Opcode ID: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
Instruction ID: c144259923a6e848a034fe90771ae4f3275bad2fdba58d127270a3e6eafdfb33
Opcode Fuzzy Hash: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
Instruction Fuzzy Hash: 00D0A962606A306BD20222168C09E8F6A08CF06300B044033F204B62B2C63C0D418FFE

Function 00401B11 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(006F2228), ref: 00401B80
GlobalAlloc.KERNEL32(00000040,00000404), ref: 00401B92

Strings

Call, xrefs: 00401B38, 00401B3E, 00401B58
("o, xrefs: 00401B14, 00401B44, 00401B53, 00401B7B, 00401BA6, 00401BAD

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: Global$AllocFree
String ID: ("o$Call
API String ID: 3394109436-2542331240
Opcode ID: 18ce383e7496548239e61a876cd1621fb13a91c8cdd195502931e4b9b56164df
Instruction ID: f4ea3dfc62e5d1cff0d3b4274299d05e9f4495bdac059fa06bbe17ad9de4a94b
Opcode Fuzzy Hash: 18ce383e7496548239e61a876cd1621fb13a91c8cdd195502931e4b9b56164df
Instruction Fuzzy Hash: 1721C072A00211ABC720EBA4CE8895E73B9EB54714724C53BF505B32D0D77CE8119F2E

Function 00401EDC Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401EEB
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F09
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F22
VerQueryValueA.VERSION(?,00409014,?,?,?,?,?,00000000), ref: 00401F3B

Part of subcall function 00405C94: wsprintfA.USER32 ref: 00405CA1

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: ec7151e13ff031cd6146c14c1100c40685b360c9b493fb258c96d19e35a9089b
Instruction ID: 9791f4c70c1528f8983e13c97e2cb0ced061aec02aec85b9ff59acd402aedfa8
Opcode Fuzzy Hash: ec7151e13ff031cd6146c14c1100c40685b360c9b493fb258c96d19e35a9089b
Instruction Fuzzy Hash: A0117071901209BEDF01EFA5DD85DAEBBB9EF04344B20807AF505F61A1D7388E55DB28

Function 0040585F Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nspAAB1.tmp,?,004058CB,C:\Users\user\AppData\Local\Temp\nspAAB1.tmp,C:\Users\user\AppData\Local\Temp\nspAAB1.tmp,?,?,75572EE0,00405616,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 0040586D
CharNextA.USER32(00000000), ref: 00405872
CharNextA.USER32(00000000), ref: 00405886

Strings

C:\Users\user\AppData\Local\Temp\nspAAB1.tmp, xrefs: 00405860

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nspAAB1.tmp
API String ID: 3213498283-2486177878
Opcode ID: 2ea991d7d7ffd85479a521eab3fc1e567f9f9a9fdda000af801139d1d19966a1
Instruction ID: 725a23b4e930c3b6c27a7d0cd0e333612dd42f6c53d199a680129a9385ae8045
Opcode Fuzzy Hash: 2ea991d7d7ffd85479a521eab3fc1e567f9f9a9fdda000af801139d1d19966a1
Instruction Fuzzy Hash: 74F06253914F516AFB3276645C44B7B5A8CCF56361F188477EE40A62C2C2BC4C618F9A

Function 00404F93 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404FC2
CallWindowProcA.USER32(?,?,?,?), ref: 00405013

Part of subcall function 00404038: SendMessageA.USER32(0001044C,00000000,00000000,00000000), ref: 0040404A

Strings

, xrefs: 00404FA3

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: a1366604d20516d7a227b416e124a8c8ccbf6a8c92e3cea699473ae65b9a4b61
Instruction ID: 01da3f5901ddaf9404fa7d81b8fd4ad62d8e53e58d7af57a61279808ed2d7cb1
Opcode Fuzzy Hash: a1366604d20516d7a227b416e124a8c8ccbf6a8c92e3cea699473ae65b9a4b61
Instruction Fuzzy Hash: EA018F7110020DABDF209F11DC85E9F3B6AF784758F208037FA04752D1D77A8C92AAAE

Function 004058B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405D36: lstrcpynA.KERNEL32(?,?,00000400,00403287,00422F00,NSIS Error), ref: 00405D43

Part of subcall function 0040585F: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nspAAB1.tmp,?,004058CB,C:\Users\user\AppData\Local\Temp\nspAAB1.tmp,C:\Users\user\AppData\Local\Temp\nspAAB1.tmp,?,?,75572EE0,00405616,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 0040586D
Part of subcall function 0040585F: CharNextA.USER32(00000000), ref: 00405872
Part of subcall function 0040585F: CharNextA.USER32(00000000), ref: 00405886

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nspAAB1.tmp,00000000,C:\Users\user\AppData\Local\Temp\nspAAB1.tmp,C:\Users\user\AppData\Local\Temp\nspAAB1.tmp,?,?,75572EE0,00405616,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 00405907
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nspAAB1.tmp,C:\Users\user\AppData\Local\Temp\nspAAB1.tmp,C:\Users\user\AppData\Local\Temp\nspAAB1.tmp,C:\Users\user\AppData\Local\Temp\nspAAB1.tmp,C:\Users\user\AppData\Local\Temp\nspAAB1.tmp,C:\Users\user\AppData\Local\Temp\nspAAB1.tmp,00000000,C:\Users\user\AppData\Local\Temp\nspAAB1.tmp,C:\Users\user\AppData\Local\Temp\nspAAB1.tmp,?,?,75572EE0,00405616,?,C:\Users\user\AppData\Local\Temp\,75572EE0), ref: 00405917

Strings

C:\Users\user\AppData\Local\Temp\nspAAB1.tmp, xrefs: 004058BA, 004058BF, 004058C5, 00405900, 00405906, 0040590E, 00405916

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\nspAAB1.tmp
API String ID: 3248276644-2486177878
Opcode ID: 681a1499075d1ef18d3e94b36260b5cb5e6403957cf75bde6daaeed28ee23a5f
Instruction ID: cee4b60d78671bb78a10d3fddc0396ac835ea714c96625339261d657e7680c9f
Opcode Fuzzy Hash: 681a1499075d1ef18d3e94b36260b5cb5e6403957cf75bde6daaeed28ee23a5f
Instruction Fuzzy Hash: 0AF02823105D6026C63233391C09AAF1B95CE86368B24853FFC51B22D1DB3C8863DE7E

Function 004036F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75572EE0,004036C9,75573410,004034D6,?), ref: 0040370C
GlobalFree.KERNEL32(006BFC28), ref: 00403713

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403704

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-4083868402
Opcode ID: 86ea4e8f2e330b4051334ac2fa91e3adcb647da4565bec0431381526e270e322
Instruction ID: 0fe4964e98027e88380181352afc78dea88c0f551701ba437740c6db36bc47f5
Opcode Fuzzy Hash: 86ea4e8f2e330b4051334ac2fa91e3adcb647da4565bec0431381526e270e322
Instruction Fuzzy Hash: 0EE0EC7390512097C6215F96AD04B5ABB686B89B62F06842AED407B3A18B746C418BD9

Function 0040580D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CE5,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe,C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe,80000000,00000003), ref: 00405813
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CE5,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe,C:\Users\user\Desktop\Ricowell Ind New INQ.bat.exe,80000000,00000003), ref: 00405821

Strings

C:\Users\user\Desktop, xrefs: 0040580D

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1876063424
Opcode ID: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
Instruction ID: ba052d51ab232c33a65bcd29671eceb75c11827358d6bb1c4ef4a0a5cf44e1aa
Opcode Fuzzy Hash: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
Instruction Fuzzy Hash: 94D0A77341AD701EE30372109C04B8F6A48CF16300F098462E440B61A0C2780C414BED

Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000115B
GlobalFree.KERNEL32(00000000), ref: 100011B4
GlobalFree.KERNEL32(?), ref: 100011C7
GlobalFree.KERNEL32(?), ref: 100011F5

Memory Dump Source

Source File: 00000000.00000002.3910620506.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3910603560.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3910638325.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.3910652324.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_Ricowell Ind New INQ.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction ID: 5d3a3765e571093bf703368c32e31ec5bfeafbef09712c331e02e9e13643e521
Opcode Fuzzy Hash: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction Fuzzy Hash: 6531ABB1808255AFF715CFA8DC89AEA7FE8EB052C1B164115FA45D726CDB34D910CB24

Function 0040592C Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B5B,00000000,[Rename],00000000,00000000,00000000), ref: 0040593C
lstrcmpiA.KERNEL32(00405B5B,00000000), ref: 00405954
CharNextA.USER32(00405B5B,?,00000000,00405B5B,00000000,[Rename],00000000,00000000,00000000), ref: 00405965
lstrlenA.KERNEL32(00405B5B,?,00000000,00405B5B,00000000,[Rename],00000000,00000000,00000000), ref: 0040596E

Memory Dump Source

Source File: 00000000.00000002.3903621831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3903609069.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903638596.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903653302.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3903735353.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Ricowell Ind New INQ.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0add82ed76356020c4ee8264c56a6ad6875436601f5ed096891bbb40787d2247
Instruction ID: 6acf3bc3cda9f3bfd2525b0ac34aa546eab038af588102683640af0afc927a81
Opcode Fuzzy Hash: 0add82ed76356020c4ee8264c56a6ad6875436601f5ed096891bbb40787d2247
Instruction Fuzzy Hash: 27F0C232604518FFC7129BA4DD40D9FBBA8EF06360B2500AAE800F7250D274EE019FAA

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ricowell Ind New INQ.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Videos\Besiddetrang.lnk

C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike\Commissionary.Und

C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike\Praksissernes.kra

C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike\Stewart.Min

C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike\dev.med

C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike\hverdagsagtiges.afh

C:\Users\user\AppData\Local\Rhabdophora\frysere\turnpike\stenhuggeriernes.txt

C:\Users\user\AppData\Local\Temp\nscA58E.tmp

C:\Users\user\AppData\Local\Temp\nsj8F06.tmp

C:\Users\user\AppData\Local\Temp\nsk9FB0.tmp

C:\Users\user\AppData\Local\Temp\nsnA57E.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsoA83F.tmp

C:\Users\user\AppData\Local\Temp\nspAAB1.tmp

C:\Users\user\AppData\Local\Temp\nsqAE0D.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
Ricowell Ind New INQ.bat.exe

Function 00403217 Relevance: 79.1, APIs: 27, Strings: 18, Instructions: 337
stringfilecomCOMMON

Function 0040515D Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405D58 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 199
stringCOMMON

Function 004055F6 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 00403B19 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 00403787 Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216
stringregistrylibraryCOMMON

Function 00402C79 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 0040173F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 0040501F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 00401F68 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Function 0040231C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
COMMON

Function 004059F6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Function 0040303A Relevance: 6.1, APIs: 4, Instructions: 108
fileCOMMON